CA3131208C - System and method for building a trusted network of devices - Google Patents
System and method for building a trusted network of devices Download PDFInfo
- Publication number
- CA3131208C CA3131208C CA3131208A CA3131208A CA3131208C CA 3131208 C CA3131208 C CA 3131208C CA 3131208 A CA3131208 A CA 3131208A CA 3131208 A CA3131208 A CA 3131208A CA 3131208 C CA3131208 C CA 3131208C
- Authority
- CA
- Canada
- Prior art keywords
- blockchain
- data
- lot
- devices
- blot
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 108
- 238000001514 detection method Methods 0.000 claims abstract description 146
- 230000008520 organization Effects 0.000 claims abstract description 85
- 238000007726 management method Methods 0.000 claims description 35
- 238000012544 monitoring process Methods 0.000 claims description 24
- 230000008569 process Effects 0.000 claims description 20
- 230000004044 response Effects 0.000 claims description 19
- 238000013500 data storage Methods 0.000 claims description 14
- 238000012550 audit Methods 0.000 claims description 13
- 230000001105 regulatory effect Effects 0.000 claims description 11
- 238000010200 validation analysis Methods 0.000 claims description 9
- 238000012795 verification Methods 0.000 claims description 9
- 239000004744 fabric Substances 0.000 claims description 8
- 230000033001 locomotion Effects 0.000 claims description 8
- 238000012986 modification Methods 0.000 claims description 8
- 230000004048 modification Effects 0.000 claims description 8
- 230000005540 biological transmission Effects 0.000 claims description 7
- 230000001960 triggered effect Effects 0.000 claims description 7
- 230000003213 activating effect Effects 0.000 claims description 6
- 230000003993 interaction Effects 0.000 claims description 6
- 238000005286 illumination Methods 0.000 claims description 5
- 230000035515 penetration Effects 0.000 claims description 5
- 230000003287 optical effect Effects 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 abstract description 21
- 238000013523 data management Methods 0.000 abstract description 8
- 238000004891 communication Methods 0.000 description 33
- 230000000875 corresponding effect Effects 0.000 description 23
- 230000000694 effects Effects 0.000 description 23
- 238000003860 storage Methods 0.000 description 23
- 238000010586 diagram Methods 0.000 description 18
- 238000004458 analytical method Methods 0.000 description 15
- 238000012545 processing Methods 0.000 description 15
- 230000009471 action Effects 0.000 description 14
- 238000004422 calculation algorithm Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 8
- 238000004519 manufacturing process Methods 0.000 description 7
- 239000008186 active pharmaceutical agent Substances 0.000 description 6
- 230000006399 behavior Effects 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 5
- 230000002265 prevention Effects 0.000 description 5
- 230000000903 blocking effect Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 4
- 230000001010 compromised effect Effects 0.000 description 3
- 238000007405 data analysis Methods 0.000 description 3
- 230000007613 environmental effect Effects 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 230000010354 integration Effects 0.000 description 3
- 230000004913 activation Effects 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000003190 augmentative effect Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 230000001276 controlling effect Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 230000001681 protective effect Effects 0.000 description 2
- 241000027036 Hippa Species 0.000 description 1
- 208000018208 Hyperimmunoglobulinemia D with periodic fever Diseases 0.000 description 1
- 206010072219 Mevalonic aciduria Diseases 0.000 description 1
- 230000004931 aggregating effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000013474 audit trail Methods 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000052 comparative effect Effects 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000012517 data analytics Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000013479 data entry Methods 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013455 disruptive technology Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 238000007429 general method Methods 0.000 description 1
- 230000005484 gravity Effects 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000010248 power generation Methods 0.000 description 1
- 230000002062 proliferating effect Effects 0.000 description 1
- 238000005067 remediation Methods 0.000 description 1
- 238000013515 script Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- DTXLBRAVKYTGFE-UHFFFAOYSA-J tetrasodium;2-(1,2-dicarboxylatoethylamino)-3-hydroxybutanedioate Chemical compound [Na+].[Na+].[Na+].[Na+].[O-]C(=O)C(O)C(C([O-])=O)NC(C([O-])=O)CC([O-])=O DTXLBRAVKYTGFE-UHFFFAOYSA-J 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y30/00—IoT infrastructure
- G16Y30/10—Security thereof
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Bioethics (AREA)
- Medical Informatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Systems and methods for building a trusted network of devices with intrusion detection system (IDS) using blockchain loT (BloT) technology are provided. The method includes registering an loT device on a plurality of blockchain network channels. The plurality of blockchain network channels include an authentication channel, data channel, remote channel, and security channel connected to corresponding servers to perform dedicated operations such as device authentication, data management, remote operation/access control, and intrusion detection. On successful authentication, the loT device is allowed to access, store and retrieve data stored on the blockchain. The blockchain ledger is updated after each data transaction and a new wallet identity or encrypted keys for the loT device are issued after each transaction. The method further includes receiving an operational instruction from a front-end device and authenticating from the blockchain record, the wallet identity, user permissions and validity of operation's parameters based on an organization's policies.
Description
SYSTEM AND METHOD FOR BUILDING A TRUSTED NETWORK OF DEVICES
Technical Field [0001] The following generally relates to security of computer devices and networks, and more particularly to blockchain-based device security and access control for internet of things (loT) devices and networks using a multi-chain architecture.
Introduction
Technical Field [0001] The following generally relates to security of computer devices and networks, and more particularly to blockchain-based device security and access control for internet of things (loT) devices and networks using a multi-chain architecture.
Introduction
[0002] Blockchain network technology includes a connected, immutable, secure, and distributed ledger for keeping a record of transactions at each network terminal (i.e., node). Advanced Blockchains like Etherium contain not only a record of transactions but also computer programs and assets in a secure, encrypted form.
[0003] loT (Internet of Things) technology comprises a network of connected computer devices collecting and sharing data in real time. The computer devices may include sensors, actuators, software, and physical computing equipment. The loT devices may be configured to share and use data and computer resources to perform physical operations and provide services. The revolutionary features of loT systems and the advantages of increased efficiency, predictive maintenance, digital interconnectivity, and scalability has enhanced deployment of loT for personal and industrial use.
Industries have slowly migrated their industrial control systems, manufacturing, operational systems to include loT systems. loT has been used to augment operations in sectors including healthcare, electricity generation, automobiles, industrial manufacturing, efficient transportation grids, and smart homes. loT devices generate massive amounts of data and can help build dynamic supply chains based on inputs made through the loT
devices.
Industries have slowly migrated their industrial control systems, manufacturing, operational systems to include loT systems. loT has been used to augment operations in sectors including healthcare, electricity generation, automobiles, industrial manufacturing, efficient transportation grids, and smart homes. loT devices generate massive amounts of data and can help build dynamic supply chains based on inputs made through the loT
devices.
[0004] The distributed nature of loT devices providing access to databases and industrial control systems has made loT networks vulnerable to data breaches, hacking, and cyber-attacks. Hackers use loT devices as entry points to gain unauthorized access to computer networks, extract organizational data and carry out cyber-attacks.
As loT
devices have become more prolific, so have cyber-attacks that exploit their vulnerabilities.
In recent times, these attacks have increased both in frequency and magnitude.
The scalability of loT systems, especially in industrial automation, manufacturing operations Date Recue/Date Received 2021-09-17 and data-based decision-making using sensors and actuators poses new cybersecurity threats. By breaching or gaining unauthorized access to a single device, hackers may control critical industrial systems to disrupt operations, extract valuable data and confidential information. Thus, security of loT networks, particularly when deployed in critical infrastructure like power generation, national security networks, telecom communication system, defense, transportation, and stock markets need to be safeguarded.
As loT
devices have become more prolific, so have cyber-attacks that exploit their vulnerabilities.
In recent times, these attacks have increased both in frequency and magnitude.
The scalability of loT systems, especially in industrial automation, manufacturing operations Date Recue/Date Received 2021-09-17 and data-based decision-making using sensors and actuators poses new cybersecurity threats. By breaching or gaining unauthorized access to a single device, hackers may control critical industrial systems to disrupt operations, extract valuable data and confidential information. Thus, security of loT networks, particularly when deployed in critical infrastructure like power generation, national security networks, telecom communication system, defense, transportation, and stock markets need to be safeguarded.
[0005]
Industrial control systems in various sectors have been attacked by hackers several times in the past decades. While cyber-attacks were generally hidden from the public, the shift to remote working setting for employees has brought forward cybersecurity risks.
It is therefore crucial that suitable defensive practices and technological barriers be identified and implemented.
Industrial control systems in various sectors have been attacked by hackers several times in the past decades. While cyber-attacks were generally hidden from the public, the shift to remote working setting for employees has brought forward cybersecurity risks.
It is therefore crucial that suitable defensive practices and technological barriers be identified and implemented.
[0006]
To combat this, disruptive technologies like blockchain can be used to protect the future of loT-based infrastructure. Blockchain technology provides an ideal solution for the cybersecurity risks on loT networks, since it eliminates the usual points of failure of traditional password and user ID driven VPN networks. Blockchain technology provides a decentralized, immutable mechanism for digital identities and sharing encrypted data which can be integrated with present-day loT applications to create a safer, more secure BloT (Blockchain Internet of Things) alternative.
To combat this, disruptive technologies like blockchain can be used to protect the future of loT-based infrastructure. Blockchain technology provides an ideal solution for the cybersecurity risks on loT networks, since it eliminates the usual points of failure of traditional password and user ID driven VPN networks. Blockchain technology provides a decentralized, immutable mechanism for digital identities and sharing encrypted data which can be integrated with present-day loT applications to create a safer, more secure BloT (Blockchain Internet of Things) alternative.
[0007]
Accordingly, there is a need for systems and methods to build a trusted network of devices with intrusion detection system (IDS) using blockchain loT
(BloT) technology to provide advanced defensive solutions combined with intrusion monitoring and alert mechanisms embedded at the device level to counteract cyber-threats.
Summary
Accordingly, there is a need for systems and methods to build a trusted network of devices with intrusion detection system (IDS) using blockchain loT
(BloT) technology to provide advanced defensive solutions combined with intrusion monitoring and alert mechanisms embedded at the device level to counteract cyber-threats.
Summary
[0008]
A system for building a trusted network of devices is provided. The system includes a plurality of blockchain network channels. The plurality of blockchain network channels include an authentication blockchain channel, a data blockchain channel, a remote blockchain channel, and a security blockchain channel. The authentication blockchain channel is configured to: register a plurality of loT devices by storing a unique identifier corresponding to the plurality of loT devices; authenticate the plurality of loT
Date Recue/Date Received 2021-09-17 devices attempting to connect to the plurality of blockchain network channels by verifying the unique identifier of the plurality of loT devices; and permitting the plurality of loT
devices access the plurality of blockchain network channels after successful authentication. The data blockchain channel is configured to: generate and store a cryptographic hash of every data set transacted on the plurality of blockchain network channels. The remote blockchain channel is configured to: store an organizational policy corresponding to a plurality of registered loT devices, wherein the plurality of registered loT devices include the plurality of loT devices registered on the authentication blockchain channel; receive an operation request from the plurality of loT devices;
verifying whether the operation request is received from the plurality of registered loT devices and the operation request is permitted by the organizational policy; and permitting the operation request on successful verification. The security blockchain channel is configured to: store a plurality of security log records of the plurality of loT devices.
A system for building a trusted network of devices is provided. The system includes a plurality of blockchain network channels. The plurality of blockchain network channels include an authentication blockchain channel, a data blockchain channel, a remote blockchain channel, and a security blockchain channel. The authentication blockchain channel is configured to: register a plurality of loT devices by storing a unique identifier corresponding to the plurality of loT devices; authenticate the plurality of loT
Date Recue/Date Received 2021-09-17 devices attempting to connect to the plurality of blockchain network channels by verifying the unique identifier of the plurality of loT devices; and permitting the plurality of loT
devices access the plurality of blockchain network channels after successful authentication. The data blockchain channel is configured to: generate and store a cryptographic hash of every data set transacted on the plurality of blockchain network channels. The remote blockchain channel is configured to: store an organizational policy corresponding to a plurality of registered loT devices, wherein the plurality of registered loT devices include the plurality of loT devices registered on the authentication blockchain channel; receive an operation request from the plurality of loT devices;
verifying whether the operation request is received from the plurality of registered loT devices and the operation request is permitted by the organizational policy; and permitting the operation request on successful verification. The security blockchain channel is configured to: store a plurality of security log records of the plurality of loT devices.
[0009] The system for building a trusted network of devices also includes a blockchain server platform. The blockchain server platform includes: an authentication server configured to decrypt a registration request and a data interaction request received from the plurality of loT devices; a data server configured to decrypt an incoming data from the plurality of loT devices and communicating the incoming to the plurality of blockchain network channels; a remote server configured to perform remote management operation by directly connecting a frontend device the plurality of loT
devices; and a security server configured to process the operation request for providing the device logs.
devices; and a security server configured to process the operation request for providing the device logs.
[0010] The system for building a trusted network of devices may further include a plurality of blockchain orderers configured to synchronize a plurality of nodes on the plurality of blockchain network channels.
[0011] The system for building a trusted network of devices may further include a plurality for certification authorities configured to: generating a plurality of digital certificates for the plurality of loT devices; and validating the plurality of digital certificates for verifying the plurality of loT devices.
[0012] The plurality of blockchain network channels may be developed on Hyperledger Fabric.
Date Recue/Date Received 2021-09-17
Date Recue/Date Received 2021-09-17
[0013] The unique identifier may include an unique device ID, a digital certificate, a digital signature, a TLS certificate or a key pair of a public key and a private key.
[0014] The operation request may be configured as a smart contract.
[0015] The operation request may further include analyzing device logs, an intrusion detection report wherein the intrusion detection report includes an event of unsuccessful authentication of the plurality of loT devices, a list of the plurality of registered loT devices, a system audit, feeding data into the plurality of blockchain network channels, activating a sensor connected to the plurality of loT
devices to feed data into the blockchain network channels, performing conditional statement or triggering a smart contract.
devices to feed data into the blockchain network channels, performing conditional statement or triggering a smart contract.
[0016] The organizational policy may include requirements for permitted operation request, data sharing protocols, encryption protocols for data storage and access, power allocation to the plurality of nodes, and permitted device operations.
[0017] A method for building a trusted network of device is provided. The method includes: enrolling an organization on a blockchain server platform;
registering a plurality of loT devices on the blockchain server platform by storing a wallet identity for each device on a plurality of blockchain network channels; authenticating the plurality of loT devices using the wallet identity by receiving an endorsement by a plurality of peer nodes on the plurality of blockchain network channels; collecting on the blockchain server platform a device data received from a plurality of sensors on the plurality of loT
devices; encrypting the device data and simultaneously storing it on the plurality of blockchain network channels; updating the plurality of peer nodes with the updated version of the device data;
and retrieving the device data upon receiving an operation request for a plurality of authenticated loT devices.
registering a plurality of loT devices on the blockchain server platform by storing a wallet identity for each device on a plurality of blockchain network channels; authenticating the plurality of loT devices using the wallet identity by receiving an endorsement by a plurality of peer nodes on the plurality of blockchain network channels; collecting on the blockchain server platform a device data received from a plurality of sensors on the plurality of loT
devices; encrypting the device data and simultaneously storing it on the plurality of blockchain network channels; updating the plurality of peer nodes with the updated version of the device data;
and retrieving the device data upon receiving an operation request for a plurality of authenticated loT devices.
[0018] The method may further include an authentication blockchain channel is configured to: register a plurality of loT devices by storing a wallet identity corresponding to the plurality of loT devices; authenticate the plurality of loT devices attempting to connect to the plurality of blockchain network channels by verifying the wallet identity of the plurality of loT devices; permitting the plurality of loT devices access the plurality of blockchain network channels after successful authentication. The method may further Date Recue/Date Received 2021-09-17 include a data blockchain channel is configured to: generate and store a cryptographic hash of every data set transacted on the plurality of blockchain network channels. The method may further include a remote blockchain channel is configured to: store an organizational policy corresponding to a plurality of registered loT devices, wherein the plurality of registered loT devices include the plurality of loT devices registered on the authentication blockchain channel; receive an operation request from the plurality of loT
devices; verifying whether the operation request is received from the plurality of registered loT devices and the operation request is permitted by the organizational policy; permitting the operation request on successful verification. The method may further include a security blockchain channel is configured to store a plurality of security log records of the plurality of loT devices.
devices; verifying whether the operation request is received from the plurality of registered loT devices and the operation request is permitted by the organizational policy; permitting the operation request on successful verification. The method may further include a security blockchain channel is configured to store a plurality of security log records of the plurality of loT devices.
[0019] The method may further include synchronizing the plurality of peer nodes using a plurality of blockchain orderers.
[0020] The wallet identity may include an unique device ID, a digital certificate, a digital signature, a chain of TLS certificates or a key pair of a public key and a private key.
[0021] The method may further include issuing a plurality of random session token after successful authentication of the plurality of loT devices, wherein the plurality of random session token includes a set of logical instructions to be performed based on the operation request received from the plurality of loT devices.
[0022] The plurality of sensors may include a temperature sensor, a pressure sensor, a proximity sensor, an accelerometer and gyroscope sensor, an IR
sensor, an optical sensor, an illumination sensor, a humidity sensor, a motion sensor, a sound sensor, a magnetic sensor, and an air quality sensor.
sensor, an optical sensor, an illumination sensor, a humidity sensor, a motion sensor, a sound sensor, a magnetic sensor, and an air quality sensor.
[0023] The operation request may include analyzing device logs, an intrusion detection report wherein the intrusion detection report includes an event of unsuccessful authentication of the plurality of loT devices, a list of the plurality of registered loT devices, a system audit, feeding data into the plurality of blockchain network channels, activating a sensor connected to the plurality of loT devices to feed data into the blockchain network channels, performing conditional statement or triggering a smart contract.
Date Recue/Date Received 2021-09-17
Date Recue/Date Received 2021-09-17
[0024] A method for building a trusted network of device is provided. The method includes: performing an operation at a frontend device and sending operation request to a blockchain server platform and a plurality of blockchain network channels;
validating the access permissions of the frontend device and the operation request according to an organizational policy and a wallet identity of the frontend device; sending operation request to a plurality of loT device in encrypted format on successful validation; decryption of the operation request by the plurality of loT device and execution of the operation request by the plurality of loT device; sending an operation result to the blockchain server platform and the plurality of blockchain channel; and storing a record of the operation result to the plurality of blockchain network channels.
validating the access permissions of the frontend device and the operation request according to an organizational policy and a wallet identity of the frontend device; sending operation request to a plurality of loT device in encrypted format on successful validation; decryption of the operation request by the plurality of loT device and execution of the operation request by the plurality of loT device; sending an operation result to the blockchain server platform and the plurality of blockchain channel; and storing a record of the operation result to the plurality of blockchain network channels.
[0025] The method may further include an authentication blockchain channel is configured to: register a plurality of loT devices by storing a wallet identity corresponding to the plurality of loT devices; authenticate the plurality of loT devices attempting to connect to the plurality of blockchain network channels by verifying the wallet identity of the plurality of loT devices; and permitting the plurality of loT devices access the plurality of blockchain network channels after successful authentication. The method may further include a data blockchain channel is configured to generate and store a cryptographic hash of every data set transacted on the plurality of blockchain network channels. The method may further include a remote blockchain channel is configured to: store an organizational policy corresponding to a plurality of registered loT devices, wherein the plurality of registered loT devices include the plurality of loT devices registered on the authentication blockchain channel; receive an operation request from the plurality of loT
devices; verifying whether the operation request is received from the plurality of registered loT devices and the operation request is permitted by the organizational policy; and permitting the operation request on successful verification. The method may further include a security blockchain channel is configured to store a plurality of security log records of the plurality of loT devices.
devices; verifying whether the operation request is received from the plurality of registered loT devices and the operation request is permitted by the organizational policy; and permitting the operation request on successful verification. The method may further include a security blockchain channel is configured to store a plurality of security log records of the plurality of loT devices.
[0026] The wallet identity includes an unique device ID, a digital certificate, a digital signature, a chain of TLS certificates or a key pair of a public key and a private key.
Date Recue/Date Received 2021-09-17 The method may further include issuing a plurality of encryption keys from the blockchain server platform; transmitting the plurality of encryption keys the plurality of loT devices;
and renewing the encryption keys on execution of the operation request by the plurality of loT devices.
Brief Description of the Drawings
Date Recue/Date Received 2021-09-17 The method may further include issuing a plurality of encryption keys from the blockchain server platform; transmitting the plurality of encryption keys the plurality of loT devices;
and renewing the encryption keys on execution of the operation request by the plurality of loT devices.
Brief Description of the Drawings
[0027] Figure 1 is a schematic diagram of a system for building an intrusion detection system (IDS) using blockchain loT (BloT) technology, according to an embodiment.
[0028] Figure 2 is a block diagram of an loT device, according to an embodiment.
[0029] Figure 3 is a block diagram of a sensor, according to an embodiment.
[0030] Figure 4A is a schematic diagram of the architecture of the system of Figure 1 for building a trusted network of devices with intrusion detection system (IDS) using blockchain loT (BloT) technology, according to an embodiment.
[0031] Figure 4B is a schematic diagram of the architecture of the system of a system for building a trusted network of devices with intrusion detection system (IDS) using blockchain loT (BloT) technology, according to an embodiment.
[0032] Figures 5A and 5B are a flow diagram of a method of enrolling and authenticating an organization and a device on a BloT server platform, according to an embodiment.
[0033] Figure 6 is a flow diagram of a method of device authentication on the BloT
server platform for providing secure access to organizational data, according to an embodiment.
server platform for providing secure access to organizational data, according to an embodiment.
[0034] Figures 7A and 7B is a flow diagram of a method of data management, secure communication of data from BloT device and storing a record of transaction on the blockchain connected to the BloT server platform, according to an embodiment.
[0035] Figures 8 is a flow diagram of a method of remote management and verifying access permissions before performing an operation based on the instructions inputted by the user, according to an embodiment.
Date Recue/Date Received 2021-09-17
Date Recue/Date Received 2021-09-17
[0036] Figure 9 illustrates a screen capture of an example of displaying an inventory of registered devices, according to an embodiment.
[0037] Figure 10 illustrates a screen capture of an example of remote management of front-end devices, according to an embodiment.
[0038] Figure 11 illustrates a screen capture of an example of data management of registered devices, according to an embodiment.
[0039] Figure 12 illustrates a screen capture 1200 of an example of a user interface providing security analysis and intrusion detection services on data transactions conducted by a device, according to an embodiment.
[0040] Figure 13 illustrates a screen capture 1300 of an example of a user interface providing security analysis and intrusion detection services on data transactions conducted by a device, according to an embodiment.
[0041] Figure 14 illustrates a screen capture 1400 of an example of a user interface providing security analysis and intrusion detection services on data transactions conducted by a device, according to an embodiment.
Detailed Description
Detailed Description
[0042] Various apparatuses or processes will be described below to provide an example of each claimed embodiment. No embodiment described below limits any claimed embodiment and any claimed embodiment may cover processes or apparatuses that differ from those described below. The claimed embodiments are not limited to apparatuses or processes having all of the features of any one apparatus or process described below or to features common to multiple or all of the apparatuses described below.
[0043] One or more systems described herein may be implemented in computer programs executing on programmable computers, each comprising at least one processor, a data storage system (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device.
For example, and without limitation, the programmable computer may be a programmable logic unit, a mainframe computer, server, and personal computer, cloud-based program or system, Date Recue/Date Received 2021-09-17 laptop, personal data assistance, cellular telephone, smartphone, tablet device, loT
(internet of things) devices like sensors, actuators, industrial automated equipment, or connected electronic systems.
For example, and without limitation, the programmable computer may be a programmable logic unit, a mainframe computer, server, and personal computer, cloud-based program or system, Date Recue/Date Received 2021-09-17 laptop, personal data assistance, cellular telephone, smartphone, tablet device, loT
(internet of things) devices like sensors, actuators, industrial automated equipment, or connected electronic systems.
[0044] Each program is preferably implemented in a high-level procedural or object-oriented programming and/or scripting language to communicate with a computer system. However, the programs can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language. Each such computer program is preferably stored on a storage media or a device readable by a general or special purpose programmable computer for configuring and operating the computer when the storage media or device is read by the computer to perform the procedures described herein.
[0045] A description of an embodiment with several components in communication with each other does not imply that all such components are required. On the contrary a variety of optional components are described to illustrate the wide variety of possible embodiments of the present invention.
[0046] Further, although process steps, method steps, algorithms or the like may be described (in the disclosure and / or in the claims) in a sequential order, such processes, methods and algorithms may be configured to work in alternate orders. In other words, any sequence or order of steps that may be described does not necessarily indicate a requirement that the steps be performed in that order. The steps of processes described herein may be performed in any order that is practical. Further, some steps may be performed simultaneously.
[0047] When a single device or article is described herein, it will be readily apparent that more than one device / article (whether or not they cooperate) may be used in place of a single device / article. Similarly, where more than one device or article is described herein (whether or not they cooperate), it will be readily apparent that a single device /
article may be used in place of the more than one device or article.
article may be used in place of the more than one device or article.
[0048] The systems and methods described herein generally relates to security of computer devices and networks, and more particularly to blockchain-based device Date Recue/Date Received 2021-09-17 security and access control for internet of things (loT) devices and networks using multi-chain architecture.
[0049] References here in to blockchain means a secure, decentralized, immutable, distributed leger mechanism for verifying digital identities and sharing encrypted data. The blockchain described herein includes a ledger or record of transactions, data entry and access requests stored over a network of computer devices called nodes, referred to collectively as a peer network, wherein copies of an authentic version of the ledger is stored at each node on the peer network. The peer network may employ consensus building protocols to determine the authenticity of the ledger.
[0050] Immutability as used herein, refers to linking nodes together and storing copies of the same version of the ledger on each node to prevent data tampering.
Blockchain loT (BloT) technology described herein refers to the integration of loT and blockchain technologies, wherein the loT devices are connected to a blockchain network.
The loT devices are authenticated and verified according to the protocols set by the blockchain network. Further, the loT devices communicate securely over a blockchain network using cryptographic technology.
Blockchain loT (BloT) technology described herein refers to the integration of loT and blockchain technologies, wherein the loT devices are connected to a blockchain network.
The loT devices are authenticated and verified according to the protocols set by the blockchain network. Further, the loT devices communicate securely over a blockchain network using cryptographic technology.
[0051] References herein to loT (Internet of Things) devices means electronic devices connected to a network capable of data input/output, or processing or communication, including, but not limited to, actuators, sensors, PLC
(programmable logic controller), industrial control systems, trackers, appliances, laptops, servers, cloud instances, and cloud networks. The loT device may be connected to a variety of networks, including, but not limited to, an organizational private network, or the internet, or a local area network, or a Virtual Private Network (VPN) or a combination of the networks. The loT device may be connected using a variety of communication methods, including, but not limited to, Radio Frequency Identification (RFID), Cellular (3G/4G/5G), Wi-Fi, Bluetooth, Bluetooth Low Energy (BLE), mesh protocols such as Zigbee, Z-Wave, Low Power Wide Area Networks (LPWANs).
(programmable logic controller), industrial control systems, trackers, appliances, laptops, servers, cloud instances, and cloud networks. The loT device may be connected to a variety of networks, including, but not limited to, an organizational private network, or the internet, or a local area network, or a Virtual Private Network (VPN) or a combination of the networks. The loT device may be connected using a variety of communication methods, including, but not limited to, Radio Frequency Identification (RFID), Cellular (3G/4G/5G), Wi-Fi, Bluetooth, Bluetooth Low Energy (BLE), mesh protocols such as Zigbee, Z-Wave, Low Power Wide Area Networks (LPWANs).
[0052] References herein to BloT (Blockchain Internet of Things) devices means an loT device connected to the blockchain network described in the present disclosure.
Further, a BloT device may refer to an loT device authenticated on any of the blockchain Date Recue/Date Received 2021-09-17 channels described in the present disclosure. A front-end device, loT device referred in the following embodiments may refer to the BloT device except when separately defined.
Further, a BloT device may refer to an loT device authenticated on any of the blockchain Date Recue/Date Received 2021-09-17 channels described in the present disclosure. A front-end device, loT device referred in the following embodiments may refer to the BloT device except when separately defined.
[0053] loT devices and networks built for industrial systems or personal use can put valuable data at risk and disrupt normal operations. Certain loT devices operating on low power networks may not have proper cybersecurity and data protection safeguards in place. Blockchain technology offers an optimal solution to address the cybersecurity concerns of loT networks. The decentralized, secure, trusted, transparent and immutable features of blockchain technology can be leveraged in loT systems to encrypt data communications, validate access at entry points, authenticate instructions and data inputs.
[0054] Interoperating with blockchain technology can address the security vulnerabilities of loT networks. loT devices on a network may be validated and permissions may be granted based on blockchain protocols set by an organization.
Limited permissions may be granted to nodes susceptible to unauthorized access and data can be verified before storing the data in an organizational database.
Communication and data exchange between loT devices may be cryptographically encoded. Advanced consensus building algorithms may be used to identify suspicious devices or unauthorized activity to automatically reject access to such devices.
Limited permissions may be granted to nodes susceptible to unauthorized access and data can be verified before storing the data in an organizational database.
Communication and data exchange between loT devices may be cryptographically encoded. Advanced consensus building algorithms may be used to identify suspicious devices or unauthorized activity to automatically reject access to such devices.
[0055] The systems and methods in the present disclosure include forming a decentralized trusted network of devices that provide end to end encrypted, secure, immutable, and auditable data streaming with remote end point management and intrusion detection in real time. The intrusion detection functions in the present systems and methods are stored on servers configured to apply artificial intelligence to audit, and detect anomalies to prevent cyber-attacks. The intrusion detection functions may include monitoring inbound or outbound network or device traffic, data access, remote management, device registration, or monitoring other functions offered by the system and methods in the present disclosure for a suspicious activity including unauthorized access, or violation of any organizational policy, or data protection / cybersecurity standards such as GDPR, NIST 800-53, GPG13, TSC SOC2, and HIPAA. The intrusion detection system in the present disclosure may include generation of alerts when a suspicious activity is Date Recue/Date Received 2021-09-17 detected and keeping a log information of a suspicious activity. The intrusion detection system in the present disclosure supported by the immutability offered by various blockchain channels may be advantageous in taking actions and prevention of suspicious activity including preventing registration of a device, blocking data traffic sent and requested from the suspicious device, and blocking remote management instructions.
The intrusion detection system of the present disclosure may be network-based or host device-based.
The intrusion detection system of the present disclosure may be network-based or host device-based.
[0056] The functions of an intrusion detection in the present disclosure may be achieved by storing intrusion detection rules on the servers including the BloT
Authentication Server or a BloT Data Server. The intrusion detection rules may include a baseline to determine a normal behavior of devices including data access, remote management instructions, bandwidth, data protection standards, protocols, ports and other devices. The intrusion detection rules may include an organization's data storage and access policy. The suspicious activity may include detecting an anomaly or deviation from the intrusion detection rules stored on the server. On detecting any suspicious activity in violation of the intrusion detection rules, the system in the present disclosure may raise an alert and block the suspicious device. The system may record the signature database, device identification, transaction logs of the suspicious device. A
person skilled in the art would be aware of the implementational details of the intrusion detection system including the placement of intrusion detection system, storing the intrusion detection system rules on the server, capturing network traffic, triggering and blocking mechanisms, presenting notifications, logs and receiving instructions from a system administrator. In a preferred embodiment, the intrusion detection system may be placed to optimally monitor traffic at device interfaces within or external to the organization such as at firewalls or endhosts or loT device's operating system. Further, a plurality of intrusion detection systems may be placed over the network at different vantage points.
Authentication Server or a BloT Data Server. The intrusion detection rules may include a baseline to determine a normal behavior of devices including data access, remote management instructions, bandwidth, data protection standards, protocols, ports and other devices. The intrusion detection rules may include an organization's data storage and access policy. The suspicious activity may include detecting an anomaly or deviation from the intrusion detection rules stored on the server. On detecting any suspicious activity in violation of the intrusion detection rules, the system in the present disclosure may raise an alert and block the suspicious device. The system may record the signature database, device identification, transaction logs of the suspicious device. A
person skilled in the art would be aware of the implementational details of the intrusion detection system including the placement of intrusion detection system, storing the intrusion detection system rules on the server, capturing network traffic, triggering and blocking mechanisms, presenting notifications, logs and receiving instructions from a system administrator. In a preferred embodiment, the intrusion detection system may be placed to optimally monitor traffic at device interfaces within or external to the organization such as at firewalls or endhosts or loT device's operating system. Further, a plurality of intrusion detection systems may be placed over the network at different vantage points.
[0057] The systems and methods described herein provide a multi-chain architecture based on Hyperledger Fabric that ensures low latency peer-to-peer authentication and data streaming. The systems and methods of the present disclosure Date Recue/Date Received 2021-09-17 may be deployed on an loT network used by an organization. On successful consensus in the organization on endorsing peers and setting communication and data sharing protocols, the present disclosure provides systems and methods wherein a new device may be authenticated and receive a trusted status to stream data from the device to pre-authenticated designated servers on the Organization's blockchain based loT
network.
To ensure security and validity of data streamed by the loT devices, time stamped hashes are created for every data point from a trusted device and every hash is stored in the distributed, immutable ledger for auditing and verification, if required.
network.
To ensure security and validity of data streamed by the loT devices, time stamped hashes are created for every data point from a trusted device and every hash is stored in the distributed, immutable ledger for auditing and verification, if required.
[0058] The present systems and methods include a protocol that provides a comprehensive protective, proactive and predictive solution to fend off cyber-attacks on critical infrastructures including nuclear, power, defense, telecom, and banks.
[0059] The systems and methods described herein, provide a secure and decentralized alternative for MQTT (Message Queuing Telemetry Transport) and VPN
(Virtual Private Networking) technology, and provides a private, secure distributed network of trusted devices with encrypted, immutable data streaming and device integrity with end point management, and intrusion detection. The present systems and methods may include setting protocols for allocating processing power to each node, thereby improving energy efficiency, and providing a light weight and environmentally friendly protocol which requires low processing power and very low RAM to run on edge (i.e., network entry point) devices. The present systems and methods described herein are compatible with at least Mac, Windows and Linux based operating systems.
(Virtual Private Networking) technology, and provides a private, secure distributed network of trusted devices with encrypted, immutable data streaming and device integrity with end point management, and intrusion detection. The present systems and methods may include setting protocols for allocating processing power to each node, thereby improving energy efficiency, and providing a light weight and environmentally friendly protocol which requires low processing power and very low RAM to run on edge (i.e., network entry point) devices. The present systems and methods described herein are compatible with at least Mac, Windows and Linux based operating systems.
[0060] The systems and methods described herein may advantageously provide for improved network security and privacy, detection and prevention of network anomalies by leveraging the immutability, transparency, distributed architecture, and encrypted communication offered by blockchain channels. The services offered by the systems and methods described herein may include providing data access and transaction logs of loT
devices connecting, attempting to connect and exchange data with a blockchain channel described herein. A plurality of blockchain channels may provide an immutable, encrypted record of transactions of loT devices including access requests and data changes. This record of transactions stored on an immutable ledger may be used as transaction logs for Date Recue/Date Received 2021-09-17 data audits. The distributed ledger of the blockchain channel may advantageously provide a secure, reliable account to verify and match transaction logs and assist in data audits.
The system and method described herein may be configured to store transaction logs to comply with data logging requirements under the industry standards such as HIPPA or GDPR. The transaction logs may include loT device or user information as required by the industry standards such as ISO/IEC 27002. Generally, the transaction logs may include wallet identity information of the loT device as described herein, session token, public keys, User ID, dates and times of data transaction, device location, sensor or front-end device ID, number of access attempts, files accessed by the loT device, record of remote management instruction, port accessed, or external connections. The systems and methods described herein may be configured to dynamically retrieve the audit trail of data interactions recorded on the distributed ledger.
devices connecting, attempting to connect and exchange data with a blockchain channel described herein. A plurality of blockchain channels may provide an immutable, encrypted record of transactions of loT devices including access requests and data changes. This record of transactions stored on an immutable ledger may be used as transaction logs for Date Recue/Date Received 2021-09-17 data audits. The distributed ledger of the blockchain channel may advantageously provide a secure, reliable account to verify and match transaction logs and assist in data audits.
The system and method described herein may be configured to store transaction logs to comply with data logging requirements under the industry standards such as HIPPA or GDPR. The transaction logs may include loT device or user information as required by the industry standards such as ISO/IEC 27002. Generally, the transaction logs may include wallet identity information of the loT device as described herein, session token, public keys, User ID, dates and times of data transaction, device location, sensor or front-end device ID, number of access attempts, files accessed by the loT device, record of remote management instruction, port accessed, or external connections. The systems and methods described herein may be configured to dynamically retrieve the audit trail of data interactions recorded on the distributed ledger.
[0061] The systems and methods described herein may include providing a user interface to present device security statistics including the compliance status to cybersecurity and data protection standards, active users, common actions performed, recent files added, modified and deleted, timestamp of events, identifier and location of files modified, data and time of modification, information of the user performing file modification, permissions granted to the user, and size of file. The user interface may also provide integrity monitoring functions including frequency of events, date and time of events, description of event, rule level, rule ID, top requirements under a rule, rule level distribution, and top rule groups.
[0062] The systems and methods described herein provides an intrusion detection system supported by the plurality of blockchain channels for identifying data security incidents. The services include analyzing the frequency, source and character of the data intrusions attempts, and identifying system vulnerabilities. The data assets are stored on the plurality of blockchain channels to provide an immutable record of transactions.
Additionally, the system may be used for providing regulatory compliance and meeting data security regulations. Further, the system may be used for triggering security responses in event of a suspicious activity thereby preventing data breaches and violation of security protocols. The combination of the intrusion detection system with blockchain based data storage and security improves efficiency and accuracy of threat detection and Date Recue/Date Received 2021-09-17 prevention, increases detection rates, with a reduced consumption of resources including storage and energy.
Additionally, the system may be used for providing regulatory compliance and meeting data security regulations. Further, the system may be used for triggering security responses in event of a suspicious activity thereby preventing data breaches and violation of security protocols. The combination of the intrusion detection system with blockchain based data storage and security improves efficiency and accuracy of threat detection and Date Recue/Date Received 2021-09-17 prevention, increases detection rates, with a reduced consumption of resources including storage and energy.
[0063] Referring to Figure 1, illustrated therein, is a block diagram illustrating a system 100 for building a trusted network of devices with intrusion detection system (IDS) using blockchain loT (BloT) technology, in accordance with an embodiment. The system 100 provides security and access control for loT devices and networks.
Generally, an loT device includes electronic devices capable on data input/output, processing and communication, including actuators, sensors, appliances, robotic equipment, assemble line operators, security system components, smart devices, industrial control systems and cloud networks. The loT device may be used in an industrial setting or for personal use by a consumer.
Generally, an loT device includes electronic devices capable on data input/output, processing and communication, including actuators, sensors, appliances, robotic equipment, assemble line operators, security system components, smart devices, industrial control systems and cloud networks. The loT device may be used in an industrial setting or for personal use by a consumer.
[0064] The system 100 includes at least one BloT device 106 connected to a BloT
server platform 128. The BloT device described herein may include at least one computing device, including a laptop computer, a desktop computer, a server platform, a smart device, or the like, capable of data input/output and/or storing, processing or executing instructions, and connected to the BloT server platform.
server platform 128. The BloT device described herein may include at least one computing device, including a laptop computer, a desktop computer, a server platform, a smart device, or the like, capable of data input/output and/or storing, processing or executing instructions, and connected to the BloT server platform.
[0065] The BloT device may be a piece of industrial equipment or a smart device for personal use by a consumer. The BloT device may itself include other BloT
devices and may establish a communicative connection to other BloT devices by a wireless connection via a network or by a wired connection.
devices and may establish a communicative connection to other BloT devices by a wireless connection via a network or by a wired connection.
[0066] The BloT device may be powered by an operating system such as Mac, Windows, Linux, or the like.
[0067] Examples of the BloT device are illustrated therein as 106 connected to the BloT server platform 128. In various embodiments, the BloT device may establish a communicative connection to the BloT server platform by a wired connection or by a wireless connection via a network 108.
[0068] The BloT device may include at least one sensor 102. The BloT
device 106 may establish a communicative connection to the sensor by a wireless connection via a network or by a wired connection, according to various embodiments.
Date Recue/Date Received 2021-09-17
device 106 may establish a communicative connection to the sensor by a wireless connection via a network or by a wired connection, according to various embodiments.
Date Recue/Date Received 2021-09-17
[0069] The sensor 102 may be a device for detecting external stimuli/information and communicating the external stimuli/information in the form of a signal to the BloT
device 106. The sensor 102 may be used in augmenting and scaling the capabilities of the BloT device. The sensor 102 may include at least one of a temperature sensor, a pressure sensor, a proximity sensor, an accelerometer, a gyroscope, an IR
sensor, an optical sensor, an illumination sensor, a humidity sensor, a motion sensor, a microphone, a magnetic sensor, an air quality sensor, or the like.
device 106. The sensor 102 may be used in augmenting and scaling the capabilities of the BloT device. The sensor 102 may include at least one of a temperature sensor, a pressure sensor, a proximity sensor, an accelerometer, a gyroscope, an IR
sensor, an optical sensor, an illumination sensor, a humidity sensor, a motion sensor, a microphone, a magnetic sensor, an air quality sensor, or the like.
[0070] The BloT devices 106 and sensors 102 may include one or more of a memory, a secondary storage device, a processor, an input device, a display device, and an output device. Memory may include random access memory (RAM) or similar types of memory. Also, memory may store one or more applications for execution by processor.
Applications may correspond with software modules comprising computer executable instructions to perform processing for the functions described below.
Secondary storage device may include a hard disk drive, floppy disk drive, CD drive, DVD drive, Blu-ray drive, or other types of non-volatile data storage. Processor may execute applications, computer readable instructions or programs. The applications, computer readable instructions or programs may be stored in memory or in secondary storage, or may be received from the Internet or other network. Input device may include any device for entering information into BloT device 106 or sensor 102. For example, input device may be a keyboard, key pad, cursor-control device, touch-screen, sensor receptor, camera, or microphone.
Display device may include any type of device for presenting visual information. For example, display device may be a computer monitor, a flat-screen display, a projector or a display panel. Output device may include any type of device for presenting a hard copy of information, such as a printer for example. Output device may also include other types of output devices such as speakers, for example. In some cases, BloT device and sensore may include multiple of any one or more of processors, applications, software modules, second storage devices, network connections, input devices, output devices, and display devices.
Applications may correspond with software modules comprising computer executable instructions to perform processing for the functions described below.
Secondary storage device may include a hard disk drive, floppy disk drive, CD drive, DVD drive, Blu-ray drive, or other types of non-volatile data storage. Processor may execute applications, computer readable instructions or programs. The applications, computer readable instructions or programs may be stored in memory or in secondary storage, or may be received from the Internet or other network. Input device may include any device for entering information into BloT device 106 or sensor 102. For example, input device may be a keyboard, key pad, cursor-control device, touch-screen, sensor receptor, camera, or microphone.
Display device may include any type of device for presenting visual information. For example, display device may be a computer monitor, a flat-screen display, a projector or a display panel. Output device may include any type of device for presenting a hard copy of information, such as a printer for example. Output device may also include other types of output devices such as speakers, for example. In some cases, BloT device and sensore may include multiple of any one or more of processors, applications, software modules, second storage devices, network connections, input devices, output devices, and display devices.
[0071] The BloT devices 106 and sensors 102 described herein represent various embodiments of an loT device connected to a blockchain network for loT device authentication and secure data communication. That is, a single BloT device may receive Date Recue/Date Received 2021-09-17 signals from a sensor array on the BloT device or a sensor communicatively connected to the BloT device. The BloT devices are also connected to the BloT server platform 128 where the BloT device is authenticated, and secure communication is established. The sensor may detect a variety of environmental data including motion, sounds, illumination, weight or pressure.
[0072] The BloT device 106 may be connected with other BloT devices and establish secure data sharing and control by communicating over a secure BloT
server platform. For example, the BloT device may be an actuator or industrial control equipment operating on a manufacturing or assembly line in an industry. The BloT device may be connected to other BloT devices operating on the same assembly line but handling distinct segments of the manufacturing or assembling operations. In all embodiments, at least one BloT device is communicatively connected to a sensor or an actuator, and after receiving authentication from the BloT server platform, perform secure operations including access control and secure data exchange.
server platform. For example, the BloT device may be an actuator or industrial control equipment operating on a manufacturing or assembly line in an industry. The BloT device may be connected to other BloT devices operating on the same assembly line but handling distinct segments of the manufacturing or assembling operations. In all embodiments, at least one BloT device is communicatively connected to a sensor or an actuator, and after receiving authentication from the BloT server platform, perform secure operations including access control and secure data exchange.
[0073] The BloT server platform 128, BloT devices 106, sensors 102, and nodes on a plurality of blockchains may be a server computer, desktop computer, notebook computer, tablet, PDA, smartphone, or another computing device. The BloT
devices and sensors may include a connection with the network such as a wired or wireless connection to the Internet. In some cases, the network may include other types of computer or telecommunication networks.
devices and sensors may include a connection with the network such as a wired or wireless connection to the Internet. In some cases, the network may include other types of computer or telecommunication networks.
[0074] Although BloT devices and sensors are described with various components, one skilled in the art will appreciate that the BloT devices and sensors may in some cases contain fewer, additional or different components. In addition, although aspects of an implementation of the BloT devices and sensors may be described as being stored in memory, one skilled in the art will appreciate that these aspects can also be stored on or read from other types of computer program products or computer-readable media, such as secondary storage devices, including hard disks, floppy disks, CDs, or DVDs; a carrier wave from the Internet or other network; or other forms of RAM
or ROM.
The computer-readable media may include instructions for controlling the BloT
devices and sensors and/or processor to perform a particular method.
Date Recue/Date Received 2021-09-17
or ROM.
The computer-readable media may include instructions for controlling the BloT
devices and sensors and/or processor to perform a particular method.
Date Recue/Date Received 2021-09-17
[0075] In the description that follows, devices such as BloT server platform 128, sensor 102, BloT devices 106, and blockchain channels 126 are described performing certain acts. It will be appreciated that any one or more of these devices may perform an act automatically or in response to an interaction by a user of that device.
That is, the user of the device may manipulate one or more input devices (e.g., a touchscreen, a mouse, or a button) causing the device to perform the described act. In many cases, this aspect may not be described below, but it will be understood.
That is, the user of the device may manipulate one or more input devices (e.g., a touchscreen, a mouse, or a button) causing the device to perform the described act. In many cases, this aspect may not be described below, but it will be understood.
[0076] As an example, it is described below that the BloT devices 106 and sensors 102 may send information to the BloT server platform 128. For example, a user using the BloT device 106 may manipulate one or more input devices (e.g., a mouse and a keyboard) to interact with a user interface of the BloT device 106 to enter certain input instructions. Generally, the BloT device 106 may receive a user interface from the network (e.g., in the form of a webpage). Alternatively, or in addition, a user interface may be stored locally at a device (e.g., a cache of a webpage or a mobile application).
[0077] BloT server platform 128 may be configured to receive a plurality of information, from each of the plurality of sensors 102, the plurality of BloT
devices 106, and the plurality of blockchain channels 126. Generally, the information may comprise at least a stream of data captured by the sensor, authentication information of the BloT
device or the user, organizational data stored on the blockchain ledger in one of the plurality of blockchain channels. For example, the authentication information may comprise one or more of a username, e-mail address, password, device UUID/UDID, digital signature, digital wallet, TLS certificate, employee ID or the like.
devices 106, and the plurality of blockchain channels 126. Generally, the information may comprise at least a stream of data captured by the sensor, authentication information of the BloT
device or the user, organizational data stored on the blockchain ledger in one of the plurality of blockchain channels. For example, the authentication information may comprise one or more of a username, e-mail address, password, device UUID/UDID, digital signature, digital wallet, TLS certificate, employee ID or the like.
[0078] In response to receiving information, the BloT server platform 128 may store the information in a storage database. Generally, the BloT server platform stores the encrypted data on the plurality of block chain ledgers. For example, the loT
server may store encrypted data on a authentication blockchain channel 126 to provide services including blockchain immutability 122. The block chain channels may additionally augment external storage databases to store the encrypted data. In some cases, the storage database may comprise one or more storage devices located at a networked cloud storage provider.
Date Recue/Date Received 2021-09-17
server may store encrypted data on a authentication blockchain channel 126 to provide services including blockchain immutability 122. The block chain channels may additionally augment external storage databases to store the encrypted data. In some cases, the storage database may comprise one or more storage devices located at a networked cloud storage provider.
Date Recue/Date Received 2021-09-17
[0079] The system 100 includes a BloT server platform 128 which communicates with a plurality of sensors 102, a plurality of BloT devices 106, and a plurality of blockchain channels 126 via a network 128. The BloT server platform 128 may be a purpose-built machine designed specifically for receiving and communicating encrypted data in real time from the BloT devices, sensors, and processing and authenticating the data. The BloT server platform may be configured to be communicatively connected to a plurality of blockchains including authentication channel, data channel, remote channel and a security channel. The BloT server platform may be configured to simultaneously communicate with a plurality of blockchains and securely transfer data.
[0080] The BloT server platform may include BloT Authentication Server 118. The BloT Authentication Server may be communicatively connected to the BloT device and perform BloT device authentication operations. Encrypted data 112 may be transmitted from the BloT device 106 to the BloT server platform 128. The BloT
device 106 may be issues a cryptographic chain of TLS certificates by the BloT server platform 128. The cryptographic chain of TLS certificated may be stored in a wallet identity 116 of the BloT device 106. The BloT device 106 may connect with the BloT
Authentication Server 118 using the wallet identity 116. The BloT Authentication Server 118 may validate the wallet identity 116 of the BloT device 106 using the registration information stored on the authentication blockchain channel 126. The authentication blockchain channel 126 may be a distributed blockchain ledger to store the information of BloT
devices registered as described herein. For example, the BloT Authentication Server 118 may check the UUID of the BloT device 106 attempting to access data stored on organizational data stored on the blockchain, with the UUID of the registered devices stored on the authentication blockchain channel 126. The organization is given access to the same ledger which is read from the device during the first-time device activation.
On successful authentication, the BloT device may be issued a random session token 114 at every data transaction. The random session token 114 is automatically renewed before expiry if the BloT device subscription is valid. The random session token 114 may expire after every data transaction.
device 106 may be issues a cryptographic chain of TLS certificates by the BloT server platform 128. The cryptographic chain of TLS certificated may be stored in a wallet identity 116 of the BloT device 106. The BloT device 106 may connect with the BloT
Authentication Server 118 using the wallet identity 116. The BloT Authentication Server 118 may validate the wallet identity 116 of the BloT device 106 using the registration information stored on the authentication blockchain channel 126. The authentication blockchain channel 126 may be a distributed blockchain ledger to store the information of BloT
devices registered as described herein. For example, the BloT Authentication Server 118 may check the UUID of the BloT device 106 attempting to access data stored on organizational data stored on the blockchain, with the UUID of the registered devices stored on the authentication blockchain channel 126. The organization is given access to the same ledger which is read from the device during the first-time device activation.
On successful authentication, the BloT device may be issued a random session token 114 at every data transaction. The random session token 114 is automatically renewed before expiry if the BloT device subscription is valid. The random session token 114 may expire after every data transaction.
[0081] The BloT device 106 may be associated with an organization's account.
Similarly, the BloT administrator device may be associated with an administrator account, Date Recue/Date Received 2021-09-17 and the BloT user device may be associated with a user account. Any suitable mechanism for associating a device with an account is expressly contemplated.
In some cases, a device may be associated with an account by sending credentials (e.g., a digital signature, UUID/UDID or password etc.) to the BloT server platform 128. The BloT server platform 128 may verify the credentials (e.g., determine that the device credentials or the received password matches a password associated with the account). If a BloT
device 106 is associated with an account or on authentication, the BloT server platform 128 may consider further acts by that device to be associated with that account.
Similarly, the BloT administrator device may be associated with an administrator account, Date Recue/Date Received 2021-09-17 and the BloT user device may be associated with a user account. Any suitable mechanism for associating a device with an account is expressly contemplated.
In some cases, a device may be associated with an account by sending credentials (e.g., a digital signature, UUID/UDID or password etc.) to the BloT server platform 128. The BloT server platform 128 may verify the credentials (e.g., determine that the device credentials or the received password matches a password associated with the account). If a BloT
device 106 is associated with an account or on authentication, the BloT server platform 128 may consider further acts by that device to be associated with that account.
[0082] Figure 2 shows a simplified block diagram of components of a device 200, such as a mobile device or a portable electronic device or an loT device or a front-end device. The device 200 may be for example any of the devices of Figure 1. The device 200 includes multiple components such as a processor 202 that controls the operations of the device 200. Communication functions, including data communications, voice communications, or both may be performed through a communication subsystem 204.
Data received by the device 200 may be decompressed and decrypted by a decoder 206.
The communication subsystem 204 may receive messages from and send messages to a wireless network 250.
Data received by the device 200 may be decompressed and decrypted by a decoder 206.
The communication subsystem 204 may receive messages from and send messages to a wireless network 250.
[0083] The wireless network 250 may be any type of wireless network, including, but not limited to, data-centric wireless networks, voice-centric wireless networks, and dual-mode networks that support both voice and data communications.
[0084] The device 200 may be a battery-powered device and as shown includes a battery interface 242 for receiving one or more rechargeable batteries 244.
[0085] The processor 202 also interacts with additional subsystems such as a Random Access Memory (RAM) 208, a flash memory 210, a display 212 (e.g. with a touch-sensitive overlay 214 connected to an electronic controller 216 that together comprise a touch-sensitive display 218), an actuator assembly 220, one or more optional force sensors 222, an auxiliary input/output (I/O) subsystem 224, a data port 226, a speaker 228, a microphone 230, short-range communications systems 232 and other device subsystems 234.
Date Recue/Date Received 2021-09-17
Date Recue/Date Received 2021-09-17
[0086] In some embodiments, user-interaction with the graphical user interface may be performed through the touch-sensitive overlay 214. The processor 202 may interact with the touch-sensitive overlay 214 via the electronic controller 216. Information, such as text, characters, symbols, images, icons, and other items that may be displayed or rendered on a portable electronic device generated by the processor 202 may be displayed on the touch-sensitive display 218.
[0087] The processor 202 may also interact with an accelerometer 236 as shown in Figure 2. The accelerometer 1360 may be utilized for detecting direction of gravitational forces or gravity-induced reaction forces.
[0088] To identify a subscriber for network access according to the present embodiment, the device 200 may use a Subscriber Identity Module or a Removable User Identity Module (SIM/RUIM) card 238 inserted into a SIM/RUIM interface 240 for communication with a network (such as the wireless network 250).
Alternatively, user identification information may be programmed into the flash memory 210 or performed using other techniques.
Alternatively, user identification information may be programmed into the flash memory 210 or performed using other techniques.
[0089] The device 200 also includes an operating system 246 and software components 248 that are executed by the processor 202 and which may be stored in a persistent data storage device such as the flash memory 210. Additional applications may be loaded onto the device 200 through the wireless network 250, the auxiliary I/O
subsystem 224, the data port 226, the short-range communications subsystem 232, or any other suitable device subsystem 234.
subsystem 224, the data port 226, the short-range communications subsystem 232, or any other suitable device subsystem 234.
[0090] For example, in use, a received signal such as a text message, an e-mail message, web page download, or other data may be processed by the communication subsystem 204 and input to the processor 202. The processor 202 then processes the received signal for output to the display 212 or alternatively to the auxiliary I/O subsystem 224. A subscriber may also compose data items, such as e-mail messages, for example, which may be transmitted over the wireless network 250 through the communication subsystem 204.
[0091] For voice communications, the overall operation of the device 200 may be similar. The speaker 228 may output audible information converted from electrical signals, Date Recue/Date Received 2021-09-17 and the microphone 230 may convert audible information into electrical signals for processing.
[0092] Figure 3 shows a simplified block diagram of components of a sensor 300, such as a pressure sensor or a temperature sensor.
[0093] The sensor 300 may be receive data from an external stimulus 310 such as water, pressure or heat. The sensor is further communicatively to a BloT
device 312 to send the sensor data to the BloT device 312. The BloT device 312 may the BloT
device 106 of Figure 1.
device 312 to send the sensor data to the BloT device 312. The BloT device 312 may the BloT
device 106 of Figure 1.
[0094] According to an embodiment, the sensor 300 may be embedded on the BloT device 312. BloT Device activates once the power supply 310 is switched on. The power supply 310 may provide an electrical power of9 volts. On receiving power, an input signal and sensor unit 308 is activated. The input signal and sensor unit 308 is communicatively connected in the sensor 300 using Input/Output ports, which ensures that all the data is collected using hardwire / local network. A processing unit 306 is used to collect data from the input signal and sensor unit 308 and convert it into communicable, encrypted data using the BloT protocol stored on the Communications Link 304.
The encryption of data ensures that all the sensor data is completely encrypted using cryptographic signatures. A cryptographic hash is created for each data point which is streamed from the BloT device with an embedded sensor. The encrypted data points can only be decrypted by a decryption server either hosted at local network or cloud.
The encryption of data ensures that all the sensor data is completely encrypted using cryptographic signatures. A cryptographic hash is created for each data point which is streamed from the BloT device with an embedded sensor. The encrypted data points can only be decrypted by a decryption server either hosted at local network or cloud.
[0095] Figure 4A, illustrated therein, is a schematic diagram of the architecture of the system 100 of Figure 1 for building a trusted network of devices with intrusion detection system (IDS) using blockchain loT (BloT) technology, according to an embodiment.
[0096] The BloT server platform includes an Authentication Server 406, a Data Server 408, a Remote Server 410, and Security Server 412.
[0097] The Authentication Server 406 is configured to receive a request to connect from a device 402 or a frontend 404. The Authentication Server 406 extracts the wallet Date Recue/Date Received 2021-09-17 identity from the device 402 or the frontend 404 and verifies the wallet identity from the registration record stored on the blockchain channels.
[0098] The Data Server 408 is configured to decrypt incoming data from the device 402 or the frontend 404 and transmit it for analytical purposes to other microservices.
[0099] The Remote Server 418 is configured for remote management operations.
The Remote Server 418 connects directly to frontend 404 and the device 402 and ensures the operational instructions are executed at the maximum speed.
The Remote Server 418 connects directly to frontend 404 and the device 402 and ensures the operational instructions are executed at the maximum speed.
[0100] The Security Server 412 is configured to perform intrusion detection, integrity monitoring, system auditing, threat detection and response. The Security Server 412 constantly analyzes the regulatory compliance ratings of the device 402, thus providing real time security analysis of the device 402 to a system administrator.
[0101] The Authentication Blockchain Channel Peers 414 represents a blockchain network including a plurality of peers carrying the transaction records. The Authentication Blockchain Channel 414 is configured to authenticate the device 402 identity when the device connects with the BloT servers for availing different services.
[0102] The Data Blockchain Channel Peers 416 represents a blockchain network including a plurality of peers carrying the transaction records. The Data Blockchain Channel 414 is configured to maintains the hash entry of every data stored on the blockchain network for future verification.
[0103] The Remote Blockchain Channel Peers 418 represents a blockchain network including a plurality of peers carrying the transaction records. The Remote Blockchain Channel 414 is configured to verify the operation and operator at the front end 404 is permitted based on the organization policies set on the blockchain network.
[0104] The blockchain orderers 422 are implemented in a Hyperledger fabric wherein the orderers 422 synchronize the ledger across the blockchain network.
The orderers 422 package transactions into blocks and distributes the transactions to anchor peers on a blockchain network.
Date Recue/Date Received 2021-09-17
The orderers 422 package transactions into blocks and distributes the transactions to anchor peers on a blockchain network.
Date Recue/Date Received 2021-09-17
[0105] The certificate authority 424 is configured to grant digital certificates or TLS
certificates for registering and authenticating the device 402 or the frontend 404 on the blockchain network.
certificates for registering and authenticating the device 402 or the frontend 404 on the blockchain network.
[0106] According to an embodiment, the device 402 may be configured as a BloT
embedded device or a BloT enabled device. The device 402 may be an actuator or a robotic arm used in an industrial assembly line. The BloT embedded device may include a pre-deployed BloT peer which can be activated using a frontend device 404 either hosted on local network or cloud. Further, the device 402 may be authenticated using the device board ID, device log. Once the correct BloT device board ID is entered on the front end 404, a curl command may be auto generated at the front end 404, which can be simply run on the BloT enabled device 402. After running the curl command, the user may run a BloT data command or a BloT remote command on the terminal, which will authenticate the device based on the information provided at the frontend 404.
If the device board ID of the device 402 matches with the information entered on the front end 404, then BloT enabled device 402 will be endorsed by the BloT endorsing peer hosted local or on the cloud on an Authentication Blockchain Channel 414. On successful authentication, the data received from the device 402 or sensors connected with device 402, will be encrypted and hash will be stored on the server hosted locally or on the cloud servers.
embedded device or a BloT enabled device. The device 402 may be an actuator or a robotic arm used in an industrial assembly line. The BloT embedded device may include a pre-deployed BloT peer which can be activated using a frontend device 404 either hosted on local network or cloud. Further, the device 402 may be authenticated using the device board ID, device log. Once the correct BloT device board ID is entered on the front end 404, a curl command may be auto generated at the front end 404, which can be simply run on the BloT enabled device 402. After running the curl command, the user may run a BloT data command or a BloT remote command on the terminal, which will authenticate the device based on the information provided at the frontend 404.
If the device board ID of the device 402 matches with the information entered on the front end 404, then BloT enabled device 402 will be endorsed by the BloT endorsing peer hosted local or on the cloud on an Authentication Blockchain Channel 414. On successful authentication, the data received from the device 402 or sensors connected with device 402, will be encrypted and hash will be stored on the server hosted locally or on the cloud servers.
[0107] Figure 4B is a schematic diagram of the architecture of a system 1600 for building a trusted network of devices with intrusion detection system (IDS) using blockchain loT (BloT) technology, according to an embodiment.
[0108] The system 1600 includes a plurality of blockchain channels. The blockchain channel may refer to a distributed blockchain ledger. The blockchain channel may be further configured to connect to operational interfaces including an external data storage solution at each blockchain node or APIs to connect with loT devices, front end devices. According to an embodiment, the plurality of blockchain channels include Authentication Blockchain Channel 1602, Endpoint Management Blockchain Channel 1610, Data Blockchain Channel 1612, and Intrusion Detection Blockchain Channel 1618.
Date Recue/Date Received 2021-09-17
Date Recue/Date Received 2021-09-17
[0109] In various embodiments, a blockchain channel in the plurality of blockchain channels may establish a communicative connection to each or any other blockchain channel in the plurality of blockchain channels via a network 1601. The network 1601 may comprise of wireless connection or wired connection. The wired network connection may include an ethernet cable. The wireless connection may include WiFi, LTE, 3G/4G/5G.
[0110] The plurality of blockchain channels may be connected to remote equipment or industrial controllers via the network 1601. One or more of the blockchain channels in the plurality of blockchain channels may be connected to SCADA/PLC
1620.
One or more of the blockchain channels in the plurality of blockchain channels may be connected to SCADA/PLC Drivers 1622.
1620.
One or more of the blockchain channels in the plurality of blockchain channels may be connected to SCADA/PLC Drivers 1622.
[0111] The SCADA/PLC 1620 may include a plurality of Programmable Logic Controllers (PLCs) connected to a Supervisory Control and Data Acquisition (SCADA) system. The programmable logic controller may comprise of hardware components including computer processors to manipulate manufacturing processes such as industrial assembly lines, robotic devices, sensors. The programmable logic controller may include an industrial microprocessor supported by a power supply, programmable memory, input/output interface to receive user instructions and provide feedback and communication components. The programmable logic controller may be communicatively connected to electronic devices including sensors and actuators. The programmable logic controller may be configured to receive data from sensors to monitor environmental data in an industrial setting. The programmable logic controller may collect environmental data from the embedded sensors and transmit the information to the plurality of blockchain channels or the BloT server platform as described in Figure 1. The programmable logic controller may be configured to execute instructions and control industrial equipment including actuators. The instructions may be transmitted by a user or automatically fed through a SCADA system or may be performed by a smart contract.
[0112] A SCADA system may include a combination of hardware and software components to integrate and provide instructions, supervisory operations to industrial control systems such as programmable logic controllers. The SCADA system may be configured to store and analyze data collected from the programmable logic controllers.
Date Recue/Date Received 2021-09-17 The SCADA system may be configured to provide remote instructions to the programmable logic controllers. The SCADA system may comprise of a monitoring software and user interface.
Date Recue/Date Received 2021-09-17 The SCADA system may be configured to provide remote instructions to the programmable logic controllers. The SCADA system may comprise of a monitoring software and user interface.
[0113] The SCADA/PLC Drivers 1622 may refer to an interface deployed between the SCADA system and the programmable logic controller. Further, the SCADA/PLC
Driver 1622 may refer to a timestamped or a time-series database to collect, store and process data from a SCADA system. The SCADA/PLC Drivers 1622 may be configured to store data logs for a plurality of programmable logic controllers including data attributes such as nature of data measured (e.g., temperature, humidity, pressure), value of the data, timestamp, and a data quality indicator. The data logs may be stored as binary files for efficient retrieval.
Driver 1622 may refer to a timestamped or a time-series database to collect, store and process data from a SCADA system. The SCADA/PLC Drivers 1622 may be configured to store data logs for a plurality of programmable logic controllers including data attributes such as nature of data measured (e.g., temperature, humidity, pressure), value of the data, timestamp, and a data quality indicator. The data logs may be stored as binary files for efficient retrieval.
[0114] The Authentication Blockchain Channel 1602 may refer to a distributed blockchain ledger for authenticating BloT devices. The plurality of blockchain channels may be implemented on a Hyperledger Fabric. The BloT device or SCADA/PLC 1620 may be enrolled or registered on the Authentication Blockchain Channel 1602.
The Authentication Blockchain Channel 1602 may include a plurality of peer nodes.
According to an embodiment, the Authentication Blockchain Channel 1602 may include two types of peers: a BloT peer 1604 and a plurality of endorsing peers 1606. The BloT
peer 1604 may be configured as an anchor peer. The BloT peer 1604 may be communicatively connected and discoverable by all the other peers on the Authentication Blockchain Channel 1602. The BloT peer 1604 may be configured to allow communication between all the other peers of the blockchain channel. The plurality of endorsing peers 1606 may be configured to verify a proposal to a transaction received from the BloT
peer 1604 and approve a transaction. On receiving an endorsement, the transaction may be submitted to the other peers in the Authentication Blockchain Channel 1602 to commit the transaction. The transaction may include enrolling a BloT device on the Authentication Blockchain Channel 1602.
The Authentication Blockchain Channel 1602 may include a plurality of peer nodes.
According to an embodiment, the Authentication Blockchain Channel 1602 may include two types of peers: a BloT peer 1604 and a plurality of endorsing peers 1606. The BloT
peer 1604 may be configured as an anchor peer. The BloT peer 1604 may be communicatively connected and discoverable by all the other peers on the Authentication Blockchain Channel 1602. The BloT peer 1604 may be configured to allow communication between all the other peers of the blockchain channel. The plurality of endorsing peers 1606 may be configured to verify a proposal to a transaction received from the BloT
peer 1604 and approve a transaction. On receiving an endorsement, the transaction may be submitted to the other peers in the Authentication Blockchain Channel 1602 to commit the transaction. The transaction may include enrolling a BloT device on the Authentication Blockchain Channel 1602.
[0115] Additionally, the Authentication Blockchain Channel may include orderers as described in the present disclosure. The orderers may be configured to accept Date Recue/Date Received 2021-09-17 endorsed transaction and package them into a block before delivering the blocks to the peer nodes.
[0116] The Authentication Blockchain Channel 1602 may be communicatively connected to the hash server 1608. The hash server 1608 may be an externally augmented storage solution. The hash server 1608 may be used to store encrypted value of the authentication data or transactions occurring over the Authentication Blockchain Channel 1602. The data may be stored on the hash server 1608 in real-time or uploaded periodically. The hash server 1608 may be advantageous in storing a back up of the authentication data or transactions occurring over the Authentication Blockchain Channel 1602 in encrypted format.
[0117] According to an embodiment, a lightweight BloT binary may be deployed on the SCADA/PLC 1620 for embedded security. The binary may include a collection of executable code, source files, configuration files, or shell scripts. The device for example, the programmable logic controller 1620 may be enrolled on the Authentication Blockchain Channel 1602 using a curl command as described in the method 500 of the present disclosure. The device may be authenticated by the distributed network of peers in the Authentication Blockchain Channel 1602. The authentication process may involve registering the device log and identification such as UDID and UUID. The enrolment status of the device may be shared with the plurality of blockchain channels.
A record of authentication data may be stored as a backup on the Hash Server 1608 in the encrypted form. The record of authentication data may include device logs, identification information of the device such as UDID and UUID, and the wallet identity of the device.
A record of authentication data may be stored as a backup on the Hash Server 1608 in the encrypted form. The record of authentication data may include device logs, identification information of the device such as UDID and UUID, and the wallet identity of the device.
[0118] The Remote (endpoint) Management Channel 1610 may refer to a distributed blockchain ledger for controlling operations on SCADA/PLC 1620 or BloT
devices connected to the plurality of blockchain channels.
devices connected to the plurality of blockchain channels.
[0119] According to an embodiment, on receiving an instruction from the front-end device, the Remote (endpoint) Management Channel 1610 may remotely terminate the operation of a plurality of components on the SCADA/PLC 1620 or BloT devices connected to the Remote (endpoint) Management Channel 1610. The BloT binary deployed on the BloT device may be utilized to remotely manage the components or ports Date Recue/Date Received 2021-09-17 of the BloT device. For example, ports on the SCADA/PLC 1620 or BloT devices may be enabled/disabled remotely on receiving instructions from the Remote (endpoint) Management Channel 1610. The ports may include Bluetooth or USB or firewall ports.
Additionally, the Remote (endpoint) Management Channel 1610 may remotely terminate any process or service performed by the SCADA/PLC 1620 or BloT devices.
Further, the system described herein may include a user interface to display device dashboard and device performance analytics. The device dashboard and device performance analytics may include information on the BloT devices connected to the plurality of blockchain channels.
Additionally, the Remote (endpoint) Management Channel 1610 may remotely terminate any process or service performed by the SCADA/PLC 1620 or BloT devices.
Further, the system described herein may include a user interface to display device dashboard and device performance analytics. The device dashboard and device performance analytics may include information on the BloT devices connected to the plurality of blockchain channels.
[0120] The Realtime Encrypted Data Streaming Blockchain Channel 1612 may refer to a distributed blockchain ledger for receiving and storing data stream from the SCADA/PLC 1620 or BloT devices authenticated on the Authentication Blockchain Channel 1602. The Realtime Encrypted Data Streaming Blockchain Channel 1612 may be communicatively connected to the certificate authority and configured to authenticate the wallet identity of the device from the certificate authority.
[0121] According to an embodiment, the SCADA/PLC 1620 or BloT device may be issued a digital certificate or a TLS certificate from a certification authority. The certification authority may generate a cryptographic chain of digital certificates or TLS
certificates for the SCADA/PLC 1620 or BloT device. The wallet identity of the SCADA/PLC 1620 or BloT device may include the unique identifier of the device and the digital certificates or TLS certificates of the device. Data stream from the SCADA/PLC
1620 or BloT device to the Realtime Encrypted Data Streaming Blockchain Channel 1612 is fully encrypted with the cryptographic chain of TLS certificates issued to the SCADA/PLC 1620 or BloT device. Next, the data stream is decrypted by the cryptographic Data Decryption Server 1613. The Data Decryption Server 1613 may be communicatively connected to the APIs with Decryption Key 1616. The APIs with Decryption Key 1616 may refer to a database to specify decryption key to be used to decrypt the data stream.
certificates for the SCADA/PLC 1620 or BloT device. The wallet identity of the SCADA/PLC 1620 or BloT device may include the unique identifier of the device and the digital certificates or TLS certificates of the device. Data stream from the SCADA/PLC
1620 or BloT device to the Realtime Encrypted Data Streaming Blockchain Channel 1612 is fully encrypted with the cryptographic chain of TLS certificates issued to the SCADA/PLC 1620 or BloT device. Next, the data stream is decrypted by the cryptographic Data Decryption Server 1613. The Data Decryption Server 1613 may be communicatively connected to the APIs with Decryption Key 1616. The APIs with Decryption Key 1616 may refer to a database to specify decryption key to be used to decrypt the data stream.
[0122] The decrypted data is stored on the Data Lake server 1614. The Data Lake server 1614 includes a peer deployed to monitor intrusion detection and end point remote Date Recue/Date Received 2021-09-17 management of BloT devices. Additionally, the data collected may be used for artificial intelligence and real-time data analytics.
[0123] The Intrusion Detection Blockchain Channel 1618 may refer to a distributed blockchain ledger for providing intrusion detection services on SCADA/PLC 1620 or BloT
devices connected to the plurality of blockchain channels. The intrusion detection services include Security Analytics, Intrusion Detection, Log Data Analysis, File Integrity Monitoring, Network Intrusion Detection (HIDS & NIDS), Vulnerability Detection, Incident Response, and Regulatory Compliance.
devices connected to the plurality of blockchain channels. The intrusion detection services include Security Analytics, Intrusion Detection, Log Data Analysis, File Integrity Monitoring, Network Intrusion Detection (HIDS & NIDS), Vulnerability Detection, Incident Response, and Regulatory Compliance.
[0124] The systems and methods of the present disclosure provides a plurality of intrusion detection methods, including signature-based detection and anomaly-based detection.
[0125] To perform a signature-based detection, the suspicious data access patterns or suspicious remote instructions are stored as suspicious signatures on the server. Thereafter, network traffic is monitored and loT devices performing data access requests or remote instructions similar to suspicious signatures may be triggered or blocked by the intrusion detection system.
[0126] To perform an anomaly-based detection, the wallet identity of the loT device attempting data access requests or providing remote instructions is detected.
If the wallet identity fails to match the list of authenticated loT devices on the authentication blockchain channel, an anomaly is detected. Further, the data access patterns, and remote instructions provided by the loT device is compared against an established baseline. The baseline may include organizational policies or industrial standards on data security. loT
device behavior in violation of the baseline may be identified as an anomaly.
If the wallet identity fails to match the list of authenticated loT devices on the authentication blockchain channel, an anomaly is detected. Further, the data access patterns, and remote instructions provided by the loT device is compared against an established baseline. The baseline may include organizational policies or industrial standards on data security. loT
device behavior in violation of the baseline may be identified as an anomaly.
[0127] The systems and methods of the present disclosure provides a plurality of intrusion detection methods, including signature-based detection and anomaly-based detection.
[0128] To perform a signature-based detection, the suspicious data access patterns or suspicious remote instructions are stored as suspicious signatures on the server. Thereafter, network traffic is monitored and loT devices performing data access Date Recue/Date Received 2021-09-17 requests or remote instructions similar to suspicious signatures may be triggered or blocked by the intrusion detection system.
[0129] To perform an anomaly-based detection, the wallet identity of the loT device attempting data access requests or providing remote instructions is detected.
If the wallet identity fails to match the list of authenticated loT devices on the authentication blockchain channel, an anomaly is detected. Further, the data access patterns, and remote instructions provided by the loT device is compared against an established baseline. The baseline may include organizational policies or industrial standards on data security, loT
device behavior in violation of the baseline may be identified as an anomaly.
If the wallet identity fails to match the list of authenticated loT devices on the authentication blockchain channel, an anomaly is detected. Further, the data access patterns, and remote instructions provided by the loT device is compared against an established baseline. The baseline may include organizational policies or industrial standards on data security, loT
device behavior in violation of the baseline may be identified as an anomaly.
[0130] The intrusion detection rules require a minimal storage space and can be conveniently deployed or modified on the intrusion detection system. The rule-set may be configured to detect changes to the system files, log tampering, unauthorized remote instruction, system penetration, data access and manipulation. The rule-set may be provided by a system administrator on a user interface and stored on a server.
The secure access to user interface and proper use of administrator privileges are ensured by the use of blockchain channels to store the intrusion detection system and encrypting the communication on the network described herein. The intrusion detection system may check the rule-set at each loT device registration or data access request or remote management instruction for front-end devices or data access or modification.
The intrusion detection system may be placed to monitor network traffic such that rule-sets may be verified at each data transaction. The system described herein may be configured to update the rule-sets using the administrator's user interface.
The secure access to user interface and proper use of administrator privileges are ensured by the use of blockchain channels to store the intrusion detection system and encrypting the communication on the network described herein. The intrusion detection system may check the rule-set at each loT device registration or data access request or remote management instruction for front-end devices or data access or modification.
The intrusion detection system may be placed to monitor network traffic such that rule-sets may be verified at each data transaction. The system described herein may be configured to update the rule-sets using the administrator's user interface.
[0131] The system of the present disclosure may be configured to implement a smart contract-based intrusion detection system to automate rule verification of data transactions performed over the blockchain channels. The smart contract-based intrusion detection system may monitor network traffic including data transmitted from loT devices and front-end devices. The intrusion detection rules may be embedded in the smart contract. The smart contract may include rules for loT device registration, loT device authentication, front-end or remote management. The smart contract may be configured Date Recue/Date Received 2021-09-17 to automatically trigger an intrusion prevention event on detection of the suspicious activity violating the rule-set.
[0132] On breach of a rule-set, an intrusion is detected and an alert is triggered by the server. The intrusion details may be displayed on the user interface. The intrusion details may include information for investigating the potential intrusion such as port information or location of intrusion, rule breach information, transaction log, pathname, data/attribute modification, update operations, suspicious access patterns, structural changes to content, previous content values, and operations performed. The system described herein may be configured to store a record of intrusions or intrusion attempts.
The system may also store the common intrusion behavior. The immutable ledger of the blockchain channels may record traces of system penetration and data files tampered or accessed. The user interface may be accessed at the BloT device terminal or front-end or the administrator terminal. The system may be configured to trigger events to prevent a potential intrusion.
The system may also store the common intrusion behavior. The immutable ledger of the blockchain channels may record traces of system penetration and data files tampered or accessed. The user interface may be accessed at the BloT device terminal or front-end or the administrator terminal. The system may be configured to trigger events to prevent a potential intrusion.
[0133] The intrusion detection rules may be defined in separate categories depending upon the nature of the suspicious activity for example data modification, remote instruction, device authentication. The rule may specify the path of the data files to be monitored. The rule may include file attributes, list of permissible operations, authorized remote instructions, suspicious signatures or access patterns, or the organizational policy.
[0134] Rule-based intrusion detection system reduces the consumption of computer resources including storage, energy, and processing cycles.
Additionally, the network traffic is monitored in real time and any violation of intrusion detection rules is swiftly detected to prevent unauthorized access. The intrusion detection rules stored on the server detects and prevents suspicious activity at network interface in events where the loT device or the front-end device is compromised. The immutable blockchain ledger automatically stores a historical record of data files and transactions performed. This obviates the need for maintaining or storing a reference database. Further, attempts to manipulate audit logs and reversing timestamps are prevented for data stored on the blockchain channel.
Date Recue/Date Received 2021-09-17
Additionally, the network traffic is monitored in real time and any violation of intrusion detection rules is swiftly detected to prevent unauthorized access. The intrusion detection rules stored on the server detects and prevents suspicious activity at network interface in events where the loT device or the front-end device is compromised. The immutable blockchain ledger automatically stores a historical record of data files and transactions performed. This obviates the need for maintaining or storing a reference database. Further, attempts to manipulate audit logs and reversing timestamps are prevented for data stored on the blockchain channel.
Date Recue/Date Received 2021-09-17
[0135] Figures 5A and 5B illustrate a flow diagram of a method 500 of enrolling and authenticating an organization and a device on the BloT server platform, according to an embodiment. Method 500 represents a core, general method for enrolling an organization and registering devices on the BloT server platform and establishing secure data communication and access control for internet of things (loT) devices connected to a plurality of blockchain channels.
[0136] The method 500 refers to a single BloT device, however, it is to be understood that the BloT device may include multiple computing devices and various steps, or storage of data/information may occur on or be performed by one or more of the BloT devices. Further, the BloT server platform may be connected to multiple BloT
devices and various steps, or storage of data/information may occur on or be performed by one or more of the BloT devices. Furthermore, the multiple BloT devices may be communicatively connected to each other over the BloT server platform and perform one or more steps in conjunction. The BloT server platform may also be connected to front-end devices. The front-end device may be used to present instructions and receive feedback. For example, the front-end device may generate a curl command to be entered in the BloT device for successful registration of the BloT device.
devices and various steps, or storage of data/information may occur on or be performed by one or more of the BloT devices. Furthermore, the multiple BloT devices may be communicatively connected to each other over the BloT server platform and perform one or more steps in conjunction. The BloT server platform may also be connected to front-end devices. The front-end device may be used to present instructions and receive feedback. For example, the front-end device may generate a curl command to be entered in the BloT device for successful registration of the BloT device.
[0137] Every transaction including enrolment of an organization, enrolment of a device, data stream received from the loT devices or sensors, remote instruction, intrusion detection services described herein, may be recorded on the blockchain network, wherein the blockchain network includes the plurality of blockchain channels and any external data storage solution connected to any of the blockchain channel in the plurality of blockchain channels.
[0138] The steps of performing a transaction on the blockchain network described herein may be performed using a smart contract. The transaction may include recording an event on the blockchain network or performing an operation on the blockchain network.
For example, the transaction on a blockchain may include registering a new device on a blockchain network or authenticating device identity when device attempts to connect to the blockchain network. A smart contract may refer to a set of rules or steps to perform a specific event on the blockchain. The smart contract may be configured to automatically Date Recue/Date Received 2021-09-17 perform certain operations on the blockchain network in response to an event.
The event may include, for example, a request made by an authorized user to register a device on the blockchain network or generate integrity monitoring record of the organization's data assets stored on the blockchain network or performing an intrusion prevention operation on breach of intrusion detection rules stored on the server.
For example, the transaction on a blockchain may include registering a new device on a blockchain network or authenticating device identity when device attempts to connect to the blockchain network. A smart contract may refer to a set of rules or steps to perform a specific event on the blockchain. The smart contract may be configured to automatically Date Recue/Date Received 2021-09-17 perform certain operations on the blockchain network in response to an event.
The event may include, for example, a request made by an authorized user to register a device on the blockchain network or generate integrity monitoring record of the organization's data assets stored on the blockchain network or performing an intrusion prevention operation on breach of intrusion detection rules stored on the server.
[0139] According to an embodiment, a multiple chain blockchain architecture is provided wherein the BloT server platform may be communicatively connected to a plurality of blockchain channels. Each blockchain channel may be configured to record and store a specific set of transactions on the peer network of a data blockchain channel or perform specific operations. For example, an authentication blockchain channel may include a peer network for keeping a record of organizations enrolled and devices registered by the BloT server platform. Further, the authentication blockchain channel may perform the function of authenticating device identity when the device attempts to connect with the BloT server platform or request certain services.
[0140] It is to be understood that, herein, any reference made to a transaction being recorded on a blockchain network or specific operation performed by the blockchain network includes recording the transaction or performing the operation on specific blockchain channels.
[0141] Cryptographic techniques may be used to secure the data communicated between the devices, the BloT server platform, and the blockchain channels.
Further, transaction records stored on the blockchain channel, and the data processed by the BloT
server platform may be limited to the encrypted version of the data.
Further, transaction records stored on the blockchain channel, and the data processed by the BloT
server platform may be limited to the encrypted version of the data.
[0142] At 502, an organization is enrolled on the BloT server platform.
This step includes creating an account for the organization on the BloT server platform to ensure authorized access to the organization on the plurality of blockchain channels.
The BloT
server platform may be configured to register the organization and provide access credentials to the organization such as a digital signature, username, password, organization identifier or the like. Further, the BloT server may store the organization's identification information and access credentials on authentication blockchain channel on successful enrolment of an organization. Enrolment of an organization would mean that Date Recue/Date Received 2021-09-17 only a user authorized by the organization or the device permitted by the organization may access the resources and services provided by the BloT server platform and the plurality of blockchain channels. The BloT server platform or the plurality of blockchain channels may be configured to store the organizational policies including communication policies, data storage policies, device management policies, and device operation policies. The organizational policy may include requirements for permitted device operations, encryption protocols for data storage and access. The organizational policies may be advantageous in verifying the validity of a data access request or operational instructions received from a BloT device and improving security.
This step includes creating an account for the organization on the BloT server platform to ensure authorized access to the organization on the plurality of blockchain channels.
The BloT
server platform may be configured to register the organization and provide access credentials to the organization such as a digital signature, username, password, organization identifier or the like. Further, the BloT server may store the organization's identification information and access credentials on authentication blockchain channel on successful enrolment of an organization. Enrolment of an organization would mean that Date Recue/Date Received 2021-09-17 only a user authorized by the organization or the device permitted by the organization may access the resources and services provided by the BloT server platform and the plurality of blockchain channels. The BloT server platform or the plurality of blockchain channels may be configured to store the organizational policies including communication policies, data storage policies, device management policies, and device operation policies. The organizational policy may include requirements for permitted device operations, encryption protocols for data storage and access. The organizational policies may be advantageous in verifying the validity of a data access request or operational instructions received from a BloT device and improving security.
[0143] The BloT server platform may be configured to create a plurality of accounts for an organization and establish customized access policies for each account.
For example, an administrator account for an organization may be granted privileges to update organizational policies, whereas a user account for an organization may only be permitted to access specific datasets on the plurality of blockchain channels and perform a pre-authorized set of operations on BloT devices. Further a plurality of user accounts may be created for an organization with customized data access and operational permissions for each user account.
For example, an administrator account for an organization may be granted privileges to update organizational policies, whereas a user account for an organization may only be permitted to access specific datasets on the plurality of blockchain channels and perform a pre-authorized set of operations on BloT devices. Further a plurality of user accounts may be created for an organization with customized data access and operational permissions for each user account.
[0144] The organization account may include a subscription plan selected by the organization. The subscription plan may include the services offered to the organization and a time period for providing the services. The BloT server platform may be configured to periodically monitor the subscription status of the organization. The BloT
server platform may be configured to automatically stop services upon expiry of the subscription plan for the organization. For example, BloT device authentication tokens for an organization may not be renewed or re-issued if the device subscription is invalid.
server platform may be configured to automatically stop services upon expiry of the subscription plan for the organization. For example, BloT device authentication tokens for an organization may not be renewed or re-issued if the device subscription is invalid.
[0145] Step 502 includes storing a record of the enrolled organization, organizational accounts, organizational policies described herein on the plurality of blockchain channels by the BloT server platform. For example, the authentication blockchain channel peers, as illustrated, may store the registration information of the organization. Records may be stored in encrypted form on the blockchain network to improve security.
Date Recue/Date Received 2021-09-17
Date Recue/Date Received 2021-09-17
[0146] Method 500 refers to a single organization, however, it is to be understood that multiple organizations can be enrolled or registered by the BloT server platform and a record of organizations may be stored on the plurality of blockchain channels. Further, the organization referred herein may include any individual or a collective establishment availing services offered by the BloT server platform and accessing the plurality of blockchain channels.
[0147] At 504, an SDK (software development kit) is installed on an organization device. The organization device may be a front-end device as described in the present disclosure. The SDK includes a set of software development tools and programs for developing and modifying applications for specific platforms. It is to be understood that, herein, any reference to an SDK is to include a set of tools for developing and modifying applications and programs to avail services offered by the BloT server platform. For example, an organization may use the SDK to establish or update organizational policies on the BloT server platform. Further, the SDK may be used to establish protocols for registering new devices for accessing the BloT server platform, or authentication of the devices before allowing them access to the BloT server platform, and removal of the devices registered on the BloT server platform. For example, the SDK on the organization's front-end device may be used to receive the unique identification information of the BloT device and generate a curl command. The curl command may thereafter be entered on the BloT device to authenticate the BloT device.
[0148] Furthermore, the SDK may be used to establish and modify operational policies of the organization on the BloT server platform. The operational policies may include rule sets of permitted operations for any organizational device registered on the BloT server platform. For example, the organizational device may be permitted to access only a specific segment of organizational data stored on the BloT server platform.
[0149] The SDK may include libraries, documentation, code samples, guides, editors, program development environments, testing tools, drivers, network protocols, or any other tool necessary for creating applications for making use of the services on BloT
server platform. The structure, versions and updates to the SDK may be determined by the administrator of the BloT server platform.
Date Recue/Date Received 2021-09-17
server platform. The structure, versions and updates to the SDK may be determined by the administrator of the BloT server platform.
Date Recue/Date Received 2021-09-17
[0150] The SDK may be installed on more than one devices of an organization. It is to be understood that, herein, any references to a singular or plural devices or the constituent of the SDK is solely for illustrative purposes and that a singularity or plurality of any of the above may be present in various embodiments.
[0151] At 506, a new device is enrolled on the BloT server platform and thereafter a BloT application is run on the device. It is to be understood that, herein, any references to a BloT device means the device associated with the organization and registered on the BloT server platform. The BloT device may be allowed to access the resources and services of the BloT server platform and the connected blockchain networks.
[0152] The enrolment of the BloT device may involve an authorized user from the organization enrolled on the BloT server platform making a registration request to the BloT server platform to register the BloT device on the BloT server platform.
According to an embodiment, the registration request may include the device identifier such as UDID
(Unique Device ID) or UUID (universally unique identifier). The device identifier may be a unique fixed-digit alphanumeric label assigned to the device by a manufacturer.
Thereafter, the BloT server platform may verify whether the registration request is received from the authorized user or the front-end device of the organization enrolled on the BloT server platform. On confirmation, the BloT server platform may record the new device registered and the unique identifier of the device on the blockchain network.
According to an embodiment, the registration request may include the device identifier such as UDID
(Unique Device ID) or UUID (universally unique identifier). The device identifier may be a unique fixed-digit alphanumeric label assigned to the device by a manufacturer.
Thereafter, the BloT server platform may verify whether the registration request is received from the authorized user or the front-end device of the organization enrolled on the BloT server platform. On confirmation, the BloT server platform may record the new device registered and the unique identifier of the device on the blockchain network.
[0153] According to an embodiment, to perform the enrolment of a BloT
device an authorized user may present the device identifier information of the BloT
device to the front-end device. For example, the user may enter the UDID or UUID of the BloT
device to the front-end device. The front-end device 404 and the BloT device 402 may be communicatively connected to the BloT server platform and the plurality of blockchain channels as illustrated in Figure 4. The BloT server platform may include authentication server 406, data server 408, remote server 410, and security server 412 as illustrated in Figure 4. The plurality of blockchain channels may include authentication blockchain channel 414, data blockchain channel 416, remote blockchain channel 418, and security blockchain channel 420 as illustrated in Figure 4. Thereafter, the BloT server platform and the authentication blockchain channel may verify whether the request has been Date Recue/Date Received 2021-09-17 received from a valid front-end device. This step may include verifying from the distributed ledger record that the front-end device comprises of the valid credentials as stored on the authentication blockchain channel. Further, the BloT server platform or the plurality of blockchain channels may verify that BloT device is consistent with the organizational device policy. For example, the BloT server platform may be configured to identify the specifications of the BloT device from the UDID or UUID of the BloT device. If the U DID
or UUID indicate that the BloT device is an industrial robotic actuator, the organization's policy may be referred to confirm whether the industrial robotic actuator is to be permitted for enrolment. This step may include checking the consistency of the request on the plurality of blockchain channels. The organization's policy may be stored on the BloT
server platform or the plurality of blockchain channels. On successfully meeting the enrolment conditions, a curl command may be generated and displayed on the front-end device. The user may thereafter enter the curl command on the BloT device. The BloT
device may communicate the curl command and the BloT device enrolment request to the BloT server platform or the plurality of blockchain channels. The curl command and the BloT device enrolment request may be authenticated by the distributed blockchain network. On successful authentication of the curl command, the BloT device may be enrolled on the plurality of blockchain channels.
device an authorized user may present the device identifier information of the BloT
device to the front-end device. For example, the user may enter the UDID or UUID of the BloT
device to the front-end device. The front-end device 404 and the BloT device 402 may be communicatively connected to the BloT server platform and the plurality of blockchain channels as illustrated in Figure 4. The BloT server platform may include authentication server 406, data server 408, remote server 410, and security server 412 as illustrated in Figure 4. The plurality of blockchain channels may include authentication blockchain channel 414, data blockchain channel 416, remote blockchain channel 418, and security blockchain channel 420 as illustrated in Figure 4. Thereafter, the BloT server platform and the authentication blockchain channel may verify whether the request has been Date Recue/Date Received 2021-09-17 received from a valid front-end device. This step may include verifying from the distributed ledger record that the front-end device comprises of the valid credentials as stored on the authentication blockchain channel. Further, the BloT server platform or the plurality of blockchain channels may verify that BloT device is consistent with the organizational device policy. For example, the BloT server platform may be configured to identify the specifications of the BloT device from the UDID or UUID of the BloT device. If the U DID
or UUID indicate that the BloT device is an industrial robotic actuator, the organization's policy may be referred to confirm whether the industrial robotic actuator is to be permitted for enrolment. This step may include checking the consistency of the request on the plurality of blockchain channels. The organization's policy may be stored on the BloT
server platform or the plurality of blockchain channels. On successfully meeting the enrolment conditions, a curl command may be generated and displayed on the front-end device. The user may thereafter enter the curl command on the BloT device. The BloT
device may communicate the curl command and the BloT device enrolment request to the BloT server platform or the plurality of blockchain channels. The curl command and the BloT device enrolment request may be authenticated by the distributed blockchain network. On successful authentication of the curl command, the BloT device may be enrolled on the plurality of blockchain channels.
[0154] The operations or transactions as described in present disclosure may be executed by a smart contract.
[0155] The curl command, as described herein, may refer to a command-line tool for transferring data using various network protocols. The curl command may be used to exchange data between the device and the BloT server platform.
[0156] According to an embodiment, the enrollment of a BloT device may include firstly requesting a digital certificate or a TLS certificate from a certification authority for the device as illustrated in Figure 4. The request to a certification authority may include the unique identifier of the device. The certification authority may generate a cryptographic chain of digital certificates or TLS certificates for the device. The digital certificate or TLS certificate may include a combination of key pair of a public key and a private key for the device. The device may thereafter be configured to include in the Date Recue/Date Received 2021-09-17 enrolment request the digital certificate or TLS certificate obtained from the certification authority to form a wallet identity of the device. The wallet identity may include the unique identifier of the device. Thereafter, a registration or enrolment request may be made to the BloT server platform and the plurality of blockchain channels. The registration or enrolment request may include the wallet identity of the device. The BloT
server platform or the plurality of blockchain channels may be communicatively connected to the certification authority and configured to authenticate the wallet identity of the device from the certification authority. On confirming the wallet identity of the device, the device is registered by the BloT server platform and a record of device registration is made on the blockchain network.
server platform or the plurality of blockchain channels may be communicatively connected to the certification authority and configured to authenticate the wallet identity of the device from the certification authority. On confirming the wallet identity of the device, the device is registered by the BloT server platform and a record of device registration is made on the blockchain network.
[0157] In an embodiment, a BloT application is run on the BloT device.
The BloT
application provides a frontend interface to the BloT device for performing operations on the blockchain network. The operations may include creating or feeding data into the blockchain, updating or deleting data from the blockchain, requesting data access, processing operations such as monitoring intrusion detection, activating the sensor connected to the BloT device to feed data into the blockchain, performing conditional statement or triggering a smart contract. The BloT application may be configured to display on the BloT device, the data retrieved from the blockchain network, or results of the operation performed.
The BloT
application provides a frontend interface to the BloT device for performing operations on the blockchain network. The operations may include creating or feeding data into the blockchain, updating or deleting data from the blockchain, requesting data access, processing operations such as monitoring intrusion detection, activating the sensor connected to the BloT device to feed data into the blockchain, performing conditional statement or triggering a smart contract. The BloT application may be configured to display on the BloT device, the data retrieved from the blockchain network, or results of the operation performed.
[0158] At 508, a device is authenticated by receiving endorsement by a plurality of peers on the blockchain network connected to the BloT server platform using the unique identifier of the device, according to an embodiment. The endorsing peer referred herein includes the blockchain node that approves a transaction before submitting it to the other nodes on the blockchain network. The blockchain network may refer to each or any one of the plurality of blockchain channels. In this step, the device makes an authentication request to BloT server platform to access data on the blockchain network or perform an operation on the blockchain network. The authentication request may include the unique identifier of the device attempting to make a connection to the blockchain network. The endorsing peer verifies the whether the unique identifier of the device attempting to connect to the BloT server platform or the blockchain network matches with the record of registered devices on the blockchain network. If a match is found, the endorsing peer Date Recue/Date Received 2021-09-17 authenticates the device and logs the device in the blockchain record.
Thereafter, the device log is shared with the other peers on the blockchain network.
Thereafter, the device log is shared with the other peers on the blockchain network.
[0159] According to an embodiment, the authentication request may include the wallet identity of the device. The wallet identity may include the digital certificate or the TLS certificate or the unique identifier of the device. The BloT server platform or the blockchain network may be communicatively connected to the certification authority and configured to authenticate the wallet identity of the device from the certification authority.
The authentication of wallet identity may include matching key pair in the digital certificate or the TLS certificate. On confirming the wallet identity of the device, the device is authenticated by the BloT server platform and a record of device log is made on the blockchain network.
The authentication of wallet identity may include matching key pair in the digital certificate or the TLS certificate. On confirming the wallet identity of the device, the device is authenticated by the BloT server platform and a record of device log is made on the blockchain network.
[0160] According to an embodiment, an endorsing peer on the blockchain network may receive the authentication request from the device. The authentication request may include the wallet identity of the device. The blockchain network that includes the endorsing peer may be communicatively connected to the certification authority. The endorsing peer may authenticate the device by matching the key pair of the device in the digital certificate or the TLS certificate. On receiving confirmation from the certification authority, the endorsing peer may verify the wallet identity of the device with the registered device records in the blockchain network. If a match is found, the endorsing peer authenticates the device and logs the device in the blockchain record.
Thereafter, the device log is shared with the other peers on the blockchain network.
Thereafter, the device log is shared with the other peers on the blockchain network.
[0161] At 510, data is streamed from the sensors to the BloT server platform via the authenticated device, in an embodiment. The sensors may be communicatively connected to the BloT device. The sensors include a temperature sensor, a pressure sensor, a proximity sensor, an accelerometer and gyroscope sensor, an IR
sensor, an optical sensor, an illumination sensor, a humidity sensor, a motion sensor, a sound sensor, a magnetic sensor, and an air quality sensor. The sensors may include a processing unit to encode the data recorded by the sensor and communicate the encoded data to the BloT device in form of a signal. The sensors may be physically located or embedded on the BloT device and directly collect data at the BloT device, according to Date Recue/Date Received 2021-09-17 an embodiment. Alternatively, the sensors may be, physically located apart from the BloT
device and communicatively connected to the BloT device. The BloT device may be configured to receive and process the continuous flow of sensor data.
sensor, an optical sensor, an illumination sensor, a humidity sensor, a motion sensor, a sound sensor, a magnetic sensor, and an air quality sensor. The sensors may include a processing unit to encode the data recorded by the sensor and communicate the encoded data to the BloT device in form of a signal. The sensors may be physically located or embedded on the BloT device and directly collect data at the BloT device, according to Date Recue/Date Received 2021-09-17 an embodiment. Alternatively, the sensors may be, physically located apart from the BloT
device and communicatively connected to the BloT device. The BloT device may be configured to receive and process the continuous flow of sensor data.
[0162] According to an embodiment, the sensors may include a unique device identifier. The sensors may include a processing unit to communicate a data packet comprising the time stamped sensor data and the unique device identifier for the sensor.
[0163] At 512, the BloT device encrypts the sensor data instantaneously on receiving the sensor data and simultaneously communicates the encrypted data to the BloT server platform.
[0164] The BloT device may employ a cryptographic algorithm to encrypt the sensor data including symmetric key algorithms and asymmetric key algorithms such as Triple DES, AES, RSA Security, or cryptographic hash algorithms such as MD5, SHA-1, SHA-256, SHA-512, or SHA-1024. The BloT device may be configured to automatically select an encryption method depending on the sensor data for faster encryption and communication.
[0165] The BloT server platform is configured to receive the incoming stream of data from the BloT device. According to an embodiment, the BloT server platform may decrypt the data received from the BloT device before transmitting it over the blockchain network.
[0166] At 514, the data received from the BloT device is broadcast to the endorsing peers. The endorsing peer referred herein includes the blockchain node that approves a transaction before submitting it to the other nodes on the blockchain network.
The endorsing peers validate the data received from the BloT device. On successful validation, the data is shared over the blockchain network.
The endorsing peers validate the data received from the BloT device. On successful validation, the data is shared over the blockchain network.
[0167] At 516, the blockchain network ledger is updated and a consensus is achieved to include the data received and stored on the blockchain network after receiving validation from the endorsing peers, according to an embodiment.
Date Recue/Date Received 2021-09-17
Date Recue/Date Received 2021-09-17
[0168] At 518, the frontend device may be configured to display the device data and sensor data, according to an embodiment. The frontend device may display analytical information on updated status of the blockchain network.
[0169] According to an embodiment, the frontend device may receive an operation request to provide the updated status of the blockchain network to reflect analytics on the data stored and historical record of the data sets stored on the blockchain.
[0170] Figure 6 is a flow diagram of a method 600 of authenticating a device attempting to connect to the blockchain server platform or the blockchain network, according to an embodiment. The method 600 may be implemented using the system 100 described above. It should be noted that the method 600 is for authentication of a BloT device. Data collection from the sensor or the BloT device, encryption of data and network communication steps in the method 600 are generally same as described for the method 500 above. The blockchain network as described herein may refer to each or any one of the plurality of blockchain channels as illustrated in Figure 4.
[0171] At step 602, data is transmitted from the BloT device to the BloT
server platform in an encrypted format. The BloT device may be communicatively connected to the BloT server platform. The data transmitted from the device may include a continuous data stream received from a plurality of sensors and actuators, including pressure, motion, and operational movements. The BloT device may be configured to encrypt the data before transmitting the data to the BloT server platform.
server platform in an encrypted format. The BloT device may be communicatively connected to the BloT server platform. The data transmitted from the device may include a continuous data stream received from a plurality of sensors and actuators, including pressure, motion, and operational movements. The BloT device may be configured to encrypt the data before transmitting the data to the BloT server platform.
[0172] At step 604, the BloT device is issued a chain of TLS certificates from a certification authority. The BloT server platform may be communicatively connected to a certification authority. The certification authority is configured to generate new TLS
certificates for the devices after each transaction on the blockchain network.
The certification authority may also verify the wallet identity previously issued to the registered BloT devices on the BloT server platform. The BloT server platform and the blockchain channels store wallet identities of the registered devices as described in step 506 of method 500. The wallet identity of the registered device may include a device identifier such as UDID (Unique Device ID) or UUID (universally unique identifier) or a digital Date Recue/Date Received 2021-09-17 certificate or a TLS certificate for the device. The wallet identity of a device may be stored in an encrypted format.
certificates for the devices after each transaction on the blockchain network.
The certification authority may also verify the wallet identity previously issued to the registered BloT devices on the BloT server platform. The BloT server platform and the blockchain channels store wallet identities of the registered devices as described in step 506 of method 500. The wallet identity of the registered device may include a device identifier such as UDID (Unique Device ID) or UUID (universally unique identifier) or a digital Date Recue/Date Received 2021-09-17 certificate or a TLS certificate for the device. The wallet identity of a device may be stored in an encrypted format.
[0173] Further explaining step 604, the BloT server platform is configured to issue a cryptographic chain of TLS certificates to the device transmitting data to the BloT server platform. The digital certificate or TLS certificate may include a combination of key pair of a public key and a private key for the device. The device may thereafter be configured to include the digital certificate or TLS certificate obtained from the certification authority to form a wallet identity of the device. The wallet identity may include the unique identifier of the device.
[0174] At 606, the device is set out to connect to a BloT Authentication Server using the wallet identity issued to the device in step 604. The BloT
Authentication Server is configured to decrypt the incoming data. The connection request by the device may be made to the BloT server platform. The connection request may include the wallet identity of the device.
Authentication Server is configured to decrypt the incoming data. The connection request by the device may be made to the BloT server platform. The connection request may include the wallet identity of the device.
[0175] The BloT Authentication Server is communicatively connected to an authentication blockchain channel. The authentication blockchain channel includes a plurality of peers, each storing a ledger of device and data transactions. The ledger further includes the wallet identities of the devices registered on the authentication blockchain channel. The ledger is configured to store the wallet identities and the transaction records in an encrypted format. The peers are linked to each other, wherein each block contains a hash value of the previous block. In order to achieve a secure authentication of records, the peers may use consensus algorithms such as Practical Byzantine Fault Tolerance Algorithm (PBFT), the Proof-of-Stake Algorithm (PoS) and the Delegated Proof-of-Stake Algorithm (DPoS).
[0176] In an embodiment, the BloT server platform on receiving the connection request by a device using the wallet identity, decrypts the wallet identity issued to a device for authentication. In another embodiment, the BloT sever platform may be configured to generate a hash-value of the wallet identity and the hash-value of the wallet identity may be used for authentication of the device.
Date Recue/Date Received 2021-09-17
Date Recue/Date Received 2021-09-17
[0177] At the step 608, the wallet identity of the connecting device is validated on the authentication blockchain channel in a decentralized manner. The validation includes confirming whether the wallet identity of the connecting device matches with a wallet identity for a registered device stored on the authentication blockchain channel.
[0178] The BloT server platform or the authentication blockchain channel may be communicatively connected to the certification authority and configured to authenticate the wallet identity of the device from the certification authority.
[0179] At step 610, on confirming the wallet identity of the device, an organization is given access to the data record on the ledger from the same state as read from the device at the time of device activation and validation. The organization refers to the body subscribing to the BloT server platform. The organization has a plurality of devices registered on the BloT server platform and the wallet identities of the registered devices is stored on the plurality of blockchain channels.
[0180] Thereafter, after validation, the data transmitted by the device may be stored on the plurality of blockchain channels in an encrypted format. The data may be stored in packets or periodically spaced data transactions.
[0181] According to an embodiment, restrictions may be set for the authenticated device on data access and data values being stored on the plurality of blockchain channels. The restrictions may be based on the organizational policies encapsulated by the BloT server platform.
[0182] At 612, randomly generated session tokens are issued to the successfully authenticated device after every data transaction. The session token may include a unique session ID in an encrypted format to identify and record a specific data transaction, according to an embodiment. Further, the session token may include device credentials including wallet identity, digital certificate or TLS certificates. In an embodiment, a timestamp is recorded at each data transaction and stored on the distributed ledger for verification and monitoring.
Date Recue/Date Received 2021-09-17
Date Recue/Date Received 2021-09-17
[0183] The BloT server platform or the authentication blockchain channel may be communicatively connected to the certification authority and configured to generate the session token for the device automatically after each data transaction.
[0184] At 614, the session token is automatically renewed before the expiry of session token if the service subscription is still valid. The BloT server platform may be configured to verify the subscription state for the device after every data transaction. The subscription status of the device may be stored in the organization record over the plurality of blockchain channels.
[0185] BloT secure management client deployed on the device performs intrusion detection, integrity monitoring, system auditing, threat detection and response and constantly analyzes the regulatory compliance ratings of the device, thus providing real time security analysis of the device to the system administrator. The subsequent logs are also put on the blockchain channel, hence establishing a trust in a decentralized environment.
[0186] Figures 7A and 7B are flow diagrams of a method 700 of data management for a device connected to the blockchain server platform or the blockchain network, according to an embodiment.
[0187] At step 702, the authenticated BloT device is connected to the BloT server platform. Specifically, the authenticated BloT device is connected to a BloT
data server.
The BloT data server is configured to decrypt incoming data and send it for analytical purposes to other microservices.
data server.
The BloT data server is configured to decrypt incoming data and send it for analytical purposes to other microservices.
[0188] At step 704, the BloT data server, on connecting with the authenticated BloT device, issues encrypted keys to the BloT device. The encrypted keys are then transmitted in an encrypted manner to the authenticated BloT device, wherein only the authenticated BloT device has the capability to decrypt the encrypted keys.
[0189] In an embodiment, a chain of encrypted keys is issued to the BloT
device.
The BloT data server may be communicatively connected to a certification authority. The certification authority is configured to generate new encrypted keys for the BloT devices on the blockchain network. The certification authority may also verify the encrypted keys Date Recue/Date Received 2021-09-17 previously issued to the registered BloT devices on the BloT server platform.
The BloT
server platform and the plurality of blockchain channels store the encrypted keys of the registered BloT devices as described in step 506. The encrypted keys for the registered BloT device may include a device identifier such as UDID (Unique Device ID) or UUID
(universally unique identifier) or a digital certificate or a TLS certificate for the BloT device.
device.
The BloT data server may be communicatively connected to a certification authority. The certification authority is configured to generate new encrypted keys for the BloT devices on the blockchain network. The certification authority may also verify the encrypted keys Date Recue/Date Received 2021-09-17 previously issued to the registered BloT devices on the BloT server platform.
The BloT
server platform and the plurality of blockchain channels store the encrypted keys of the registered BloT devices as described in step 506. The encrypted keys for the registered BloT device may include a device identifier such as UDID (Unique Device ID) or UUID
(universally unique identifier) or a digital certificate or a TLS certificate for the BloT device.
[0190] Further explaining step 704, the BloT data server is configured to issue a cryptographic chain of encrypted keys to the BloT device transmitting data stream to the BloT server platform. The encrypted keys may include a combination of key pair of a public key and a private key for the device. The encrypted keys may be included in a digital certificate or the TLS certificate. The BloT device may thereafter be configured to include the encrypted keys or digital certificate, or TLS certificate obtained from the certification authority to form a wallet identity of the BloT device. The wallet identity may include the unique identifier of the BloT device.
[0191] At 706, the selected BloT device decrypts the encrypted keys. The selected BloT device refers to the device authenticated by the BloT server platform and the receiving terminal for the encrypted keys issued by the BloT data server.
[0192] At 708, the BloT device begins to read data received from a plurality of terminal devices. The plurality of terminal devices may include sensors, actuators, or industrial equipment. The plurality of terminal devices may automatically collect a stream of data from the environment such as pressure, motion, and humidity. The plurality of terminal devices may also receive a manual input.
[0193] At 710, the BloT device packs the data received from the plurality of terminal devices into a plurality of batches at periodic intervals. For example, data received from the front-end terminals may be packed into batches every 0.5 seconds. The BloT
device is configured to concurrently receive data from the plurality of terminal devices and patch heterogenous data into batches.
device is configured to concurrently receive data from the plurality of terminal devices and patch heterogenous data into batches.
[0194] At 712, the BloT device encrypts the batch of data using the encrypted keys and sends the encrypted batch of data to the BloT data server in an encrypted manner.
Specifically, the BloT device may use the public key of the BloT data server to encrypt Date Recue/Date Received 2021-09-17 the batch of data and use an encrypted medium to send the encrypted data batch to the BloT data server.
Specifically, the BloT device may use the public key of the BloT data server to encrypt Date Recue/Date Received 2021-09-17 the batch of data and use an encrypted medium to send the encrypted data batch to the BloT data server.
[0195] At 714, the encrypted keys are renewed for the BloT device after each transaction of sending batch of data to the BloT data server. Specifically, the BloT data server is configured to issue a new pair of encrypted keys after a batch of data is sent by the device to the BloT data server.
[0196] At 716, the batch of data received by the BloT data server is decrypted by the BloT data server. Thereafter, a hash-value of the decrypted data is generated and stored on the blockchain channel. The BloT data server uses the encryption keys to authenticate the source of the data batch.
[0197] The storage of hash-value of the data on the blockchain channel provides data immutability. Organization can verify the data anytime from the hash-values stored on the blockchain channel. Further, the data on the blockchain can also be retrieved for analytical purposes.
[0198] BloT secure management client deployed on the device performs intrusion detection, integrity monitoring, system auditing, threat detection and response and constantly analyzes the regulatory compliance ratings of the device, thus providing real time security analysis of the device to the system administrator. The subsequent logs are also put on the blockchain channel, hence establishing a trustless and decentralized environment.
[0199] Figure 8 is a flow diagram of a method 800 for remote management of a front-end device connected to the blockchain server platform or the blockchain network, according to an embodiment. The blockchain network may include a plurality of blockchain channels as described in system 100.
[0200] At 802, a user performs an operation on the front-end device. The front-end device may include an electronic device with a user interface, a sensor, an actuator, or an industrial equipment. The user may perform any operation on the front-end device or input any data or a conditional instruction to the front-end device. The operation may Date Recue/Date Received 2021-09-17 include manipulating the front-end device or providing desired instruction to the front-end device to be executed on the target BloT device.
[0201] At 804, the operation data is sent to the BloT server platform and the blockchain channels. Specifically, the front-end device is configured to convert the operational instructions into operation data and transmit the operation data to the BloT
server platform.
server platform.
[0202] In an embodiment, the front-end device is configured to encrypt the operation data before transmission. Further, the front-end device is configured to transmit the wallet identity of the front-end device and the BloT device in conjunction with the operation data. The BloT server platform decrypts the operation data and the wallet identity of the front-end device and the BloT device.
[0203] In an embodiment, the operational instruction could be a smart contract. A
smart contract may encode a series of instructions to be automatically executed in event of achieving a pre-set data state. The smart contract may trigger operational instructions to a plurality of BloT devices.
smart contract may encode a series of instructions to be automatically executed in event of achieving a pre-set data state. The smart contract may trigger operational instructions to a plurality of BloT devices.
[0204] At 806, the operation data and the wallet identity of the front-end device and the BloT device is validated over the blockchain. Specifically, the BloT
server platform verifies from the distributed ledger whether the front-end device is permitted to provide operational instructions and BloT device is permitted to perform the operation. Further, the BloT server platform verifies from the distributed ledger whether the operation is valid for the BloT device according to the organization's policies. Furthermore, the access permissions of performing the operation on the BloT device are verified.
server platform verifies from the distributed ledger whether the front-end device is permitted to provide operational instructions and BloT device is permitted to perform the operation. Further, the BloT server platform verifies from the distributed ledger whether the operation is valid for the BloT device according to the organization's policies. Furthermore, the access permissions of performing the operation on the BloT device are verified.
[0205] For example, in an industrial setting, the BloT device could be a robotic actuator on the assembly line of a manufacturing unit. A user inputs his/her credentials and operational instructions on the robotic actuator to perform a maneuver.
The robotic actuator would thereafter convert the operational instructions and user credentials into a digital signal and combine the robotic actuator's wallet identity to the digital signal. The digital signal would then be encrypted and transmitted to the BloT server platform. The BloT server platform on receiving the encrypted message, decrypt the message and verify the credentials in the message according to the following steps.
Date Recue/Date Received 2021-09-17
The robotic actuator would thereafter convert the operational instructions and user credentials into a digital signal and combine the robotic actuator's wallet identity to the digital signal. The digital signal would then be encrypted and transmitted to the BloT server platform. The BloT server platform on receiving the encrypted message, decrypt the message and verify the credentials in the message according to the following steps.
Date Recue/Date Received 2021-09-17
[0206] Firstly, the wallet identity of the BloT device is verified. This includes authenticating, from the records on the blockchain ledger, whether the wallet identity of the device has been registered in the organization the operation is being performed.
Secondly, the credentials of the user would be verified on the blockchain ledger, including the access permissions granted to the user. Thirdly, the operational data would be verified from the organizational policy to confirm whether the BloT device selected to perform the operation has the permission to perform such operation. Fourthly, the operation collection permissions of the front-end device would be verified from the organizational policy on whether the front-end device receiving operational instructions has the permission to request such operational instructions.
Secondly, the credentials of the user would be verified on the blockchain ledger, including the access permissions granted to the user. Thirdly, the operational data would be verified from the organizational policy to confirm whether the BloT device selected to perform the operation has the permission to perform such operation. Fourthly, the operation collection permissions of the front-end device would be verified from the organizational policy on whether the front-end device receiving operational instructions has the permission to request such operational instructions.
[0207] At 808, if the validation in 806 is successful, the operational data is sent to the selected BloT device in encrypted format. Specifically, on successful validation, the BloT server platform is configured to transmit the operational instructions to the selected BloT device, wherein the user intends the selected device to perform the operational instructions.
[0208] At 810, the selected BloT device receives the encrypted operational instructions, decrypts the operational instructions and performs an operation according to the operational instructions.
[0209] At 812, the selected device transmits the result or the outcome of the execution of operation performance to the BloT server. Specifically, the selected device is configured to record the outcome of the operation, wherein the outcome of the operation may include a successful performance or an error. The outcome of the operation is transmitted to the BloT server platform.
[0210] In another embodiment, the selected BloT device encrypts the outcome of the operation and transmits the encrypted performance outcome to the BloT
server platform.
server platform.
[0211] At 814, the record of operation is stored on the plurality of blockchain channels. Specifically, the BloT server is configured to receive the outcome of the operation and store the outcome of the operation on the blockchain ledger.
Date Recue/Date Received 2021-09-17
Date Recue/Date Received 2021-09-17
[0212] In another embodiment, the BloT server platform is configured to decrypt the encrypted outcome of operation and store the outcome of the operation on the blockchain ledger.
[0213] BloT secure management client deployed on the device performs intrusion detection, integrity monitoring, system auditing, threat detection and response and constantly analyzes the regulatory compliance ratings of the device, thus providing real time security analysis of the device to the system administrator. The subsequent logs are also put on the blockchain channel, hence establishing a trustless and decentralized environment.
[0214] The systems, devices and methods described herein may be utilized to provide an intrusion detection system wherein a record of malicious activity violating organizational policy and unsuccessful device authentication attempts are stored on the blockchain channel. By generating a wallet identity for all the devices attempting to connect with the BloT server platform, the records stored on the connection requests may be retrieved later by the system administrator to identify the malicious devices. Further, the use of a plurality of servers in the BloT server platform helps in monitoring the entire network for suspicious activities. Due to the advanced authentication standards provided by the blockchain networks, the intrusion detection system of the present invention prevents malicious devices from unintended access and control. Furthermore, a record of these malicious devices, including the device identities are stored in a timestamped format on the plurality of blockchain channels that assists intrusion detection and intrusion record retrieval. Certain intrusion detection implementations and advantages of the embodiments herein are described below.
[0215] According to an embodiment, an intrusion detection report may be generated wherein the intrusion detection report includes an event of unsuccessful authentication of the plurality of loT devices, a list of the plurality of registered BloT
devices on the blockchain network, a system audit, feeding data into the plurality of blockchain network channels, activating a sensor connected to the plurality of BloT
devices to feed data into the blockchain network channels, performing conditional statement or triggering a smart contract.
Date Recue/Date Received 2021-09-17
devices on the blockchain network, a system audit, feeding data into the plurality of blockchain network channels, activating a sensor connected to the plurality of BloT
devices to feed data into the blockchain network channels, performing conditional statement or triggering a smart contract.
Date Recue/Date Received 2021-09-17
[0216] According to various embodiments, the peers in the blockchain network scan the monitored systems and networks to identify malware, rootkits and suspicious anomalies. Peers can detect hidden files, cloaked processes or unregistered network listeners, as well as inconsistencies in system call responses.
[0217] The embodiments described herein provide for security analytics by collecting, aggregating, indexing, and analyzing security data to help organizations detect intrusions, threats, and behavioral anomalies. As cyber threats are becoming more sophisticated, real-time monitoring and security analysis are needed for fast threat detection and remediation. Therefore, the light-weight technology described in the present embodiment provides the necessary monitoring and response capabilities, while BloT server platform provides the security intelligence and performs data analysis.
[0218] For example, in addition to BloT peer capabilities, the BloT
server platform uses a signature-based approach to intrusion detection, using its regular expression engine to analyze collected log data and look for indicators of compromise.
server platform uses a signature-based approach to intrusion detection, using its regular expression engine to analyze collected log data and look for indicators of compromise.
[0219] According to an embodiment, the BloT server platform may be configured to raise an alarm on detection of any anomaly in device connection or access control corresponding to the organizational policy.
[0220] Further, the present embodiments provide for log data analysis wherein the peers on the blockchain channels read operating system and application logs, and securely forward them to the system administrator for rule-based analysis and storage.
The method assists the user to notice application or system errors, misconfigurations, attempted and/or successful malicious activities, policy violations, and other security and operational issues.
The method assists the user to notice application or system errors, misconfigurations, attempted and/or successful malicious activities, policy violations, and other security and operational issues.
[0221] Further, the present embodiments provide for file integrity monitoring, wherein the BloT server platform monitors the file system, identifying changes in content, permissions, ownership and attributes of files that need attention. The BloT
server platform also natively identifies users and applications used to create or modify files.
Date Recue/Date Received 2021-09-17
server platform also natively identifies users and applications used to create or modify files.
Date Recue/Date Received 2021-09-17
[0222] File integrity monitoring capabilities can be used in combination with threat intelligence to identify threats or compromised hosts. In addition, several regulatory compliance standards, such as PCI DSS require file integrity monitoring.
[0223] Further, the present embodiments provide automated vulnerability detection, wherein the peers on a blockchain channel pull software inventory data and send the software inventory data information to the server. The software inventory data is thereafter correlated with continuously updated CVE (Common Vulnerabilities and Exposure) databases, in order to identify well-known vulnerable software.
[0224] Automated vulnerability assessment is advantageous in providing the user the ability to identify the weak spots in critical data assets and take action before being exploited by attackers.
[0225] The present embodiments provide for configuration assessment, wherein the BloT server platform monitors system and application configuration settings to ensure the configuration settings are compliant with the organization's security policies, standards and/or guides. Peers on the blockchain channels perform periodic scans to detect applications that are known to be vulnerable, unpatched, or insecurely configured.
[0226] Additionally, the configuration checks can be customized, tailoring them to properly align with an organization. Alerts may be generated to include recommendations for better configuration, references, and mapping with regulatory compliance.
[0227] The present embodiments provide incident response capabilities and active responses to perform various countermeasures to address active threats, such as blocking access to a system from the threat source when certain criteria are met. In addition, BloT devices can be used to remotely run commands or system queries, identifying indicators of compromise (I0Cs) and perform other live forensics or incident response tasks.
[0228] Various embodiments as described herein provide necessary data security controls to become compliant with industry standards and regulations. The necessary security control features of the present disclosure, combined with scalability and multi-platform support may help organizations meet technical compliance requirements.
Date Recue/Date Received 2021-09-17
Date Recue/Date Received 2021-09-17
[0229] The BloT system may be widely used by payment processing companies and financial institutions to meet PCI DSS (Payment Card Industry Data Security Standard) requirements. The user interface on the BloT system provides reports and dashboards that can help with industrial regulations such as GDPR, NIST 800-53, GPG13, TSC 50C2, and HIPAA. The BloT system may refer to the system of present disclosure.
[0230] The BloT system helps monitor cloud infrastructure at an API
level, using integration modules that are able to pull security data from well-known cloud providers like Amazon AWS, Azure, or Google Cloud. In addition, BloT peer provides rules to assess the configuration of an organization's cloud environment, thereby easily spotting weaknesses.
level, using integration modules that are able to pull security data from well-known cloud providers like Amazon AWS, Azure, or Google Cloud. In addition, BloT peer provides rules to assess the configuration of an organization's cloud environment, thereby easily spotting weaknesses.
[0231] Furthermore, BloT lightweight and multi-platform peers are commonly used to monitor cloud environments at the instance level.
[0232] The present embodiments achieve containers security by providing security visibility into hosts and Docker containers, monitoring container behavior and detecting threats, vulnerabilities, and anomalies. The BloT peer has native integration with the Docker engine that allows users to monitor images, volumes, network configurations, and running containers.
[0233] The BloT system continuously collects and analyzes detailed runtime information. For example, alerting for containers running in privileged mode, vulnerable applications, a shell running in a container, changes to persistent volumes or images, and other possible threats.
[0234] The present systems and methods are operating system agnostic and available in Mac, Windows and Linux based operating systems, including operating systems deployed on smart phones.
[0235] The present systems and methods are device architecture agnostic and works on all the major devices, that includes devices with ARM and AMD
architecture devices.
Date Recue/Date Received 2021-09-17
architecture devices.
Date Recue/Date Received 2021-09-17
[0236] Referring to Figure 9, illustrated therein is a screen capture 900 of an example of user interface displaying an inventory of registered devices, according to an embodiment. For the purposes of this section, new device refers to a BloT
device 106 registered on system 100 and connected to BloT server platform 128 illustrated in Figure 1. The screen capture reflects services offered to an organization enrolled on the system 100. It is to be understood that an authorized user from the organization makes selections on the user interface to perform operations and receive services offered by the system 100.
device 106 registered on system 100 and connected to BloT server platform 128 illustrated in Figure 1. The screen capture reflects services offered to an organization enrolled on the system 100. It is to be understood that an authorized user from the organization makes selections on the user interface to perform operations and receive services offered by the system 100.
[0237] Device ID 902 may include the information provided by the user to identify the device with respect to the location of the deployment of the device. The Department ID 904 may refer to the section within an industrial organization where the device is deployed. For example, the Department ID 904 may include an identification of a programmable logic controller (PLC). Tag number 906 may include the information about the equipment where the device is deployed to collect the information using sensors from that particular equipment. The Asset Identifier 908 is the Device Board ID or Device ID
902, which is unique and not duplicated within the BloT network of the devices. In order to successfully enroll the device on the BloT network, a device ID 902 is mandatory to be provided on the front-end device. Once the device ID is provided to the front-end device with the instruction to add new inventory, a curl command is created. The curl command is thereafter entered on the BloT device terminal to download the BloT peer on the BloT
device. The BloT device may be the device 402 and front end may be front end device 404 of Figure 4.
902, which is unique and not duplicated within the BloT network of the devices. In order to successfully enroll the device on the BloT network, a device ID 902 is mandatory to be provided on the front-end device. Once the device ID is provided to the front-end device with the instruction to add new inventory, a curl command is created. The curl command is thereafter entered on the BloT device terminal to download the BloT peer on the BloT
device. The BloT device may be the device 402 and front end may be front end device 404 of Figure 4.
[0238] The Status 910 reflects the current connection and data transmission state of the registered BloT device. The system 100 is configured to monitor all the registered BloT devices in real-time. If the registered BloT device is connected to the BloT server platform 128 at a specific time, the Status 910 corresponding to the Device ID
associated with the registered device may reflect as "connected" or "live" or "data transmission" at that specific time. If the registered device is not connected to the BloT
sever platform 128, at a specific time, the status 910 corresponding to the Device ID 902 associated with the registered device may reflect as "disconnected" at that specific time, as illustrated in Figure 9.
Date Recue/Date Received 2021-09-17
associated with the registered device may reflect as "connected" or "live" or "data transmission" at that specific time. If the registered device is not connected to the BloT
sever platform 128, at a specific time, the status 910 corresponding to the Device ID 902 associated with the registered device may reflect as "disconnected" at that specific time, as illustrated in Figure 9.
Date Recue/Date Received 2021-09-17
[0239] The system 100 is configured to keep a digital record of the time at which a device was registered. Figure 9 depicts a timestamp 912 of the date and time on which a device was registered to the system 100.
[0240] The system 100 is configured to remove and unregister a device connected to the BloT server platform 128. Actions 914 provides a user an option to remove the registered device corresponding to the Device ID 902 by selecting "Delete" on the screen.
[0241] Referring to Figure 10, illustrated therein is a screen capture 1000 of an example of user interface for remote management of BloT devices, according to an embodiment. For the purposes of this section, BloT device refers to a BloT
device 106 registered on system 100, and connected to BloT server platform 128 depicted in Figure 1. The screen capture 1000 reflects services offered to an organization enrolled on the system 100. It is to be understood that an authorized user from the organization makes selections on the user interface to perform operations and receive services offered by the system 100.
device 106 registered on system 100, and connected to BloT server platform 128 depicted in Figure 1. The screen capture 1000 reflects services offered to an organization enrolled on the system 100. It is to be understood that an authorized user from the organization makes selections on the user interface to perform operations and receive services offered by the system 100.
[0242] An authorized user on selecting "Remote Management" on the user interface displays the status of remote management of a plurality of BloT
devices. The user may select a Device ID 1002 from a drop-down menu based on user's preference on the device for which remote management status is to be inquired.
devices. The user may select a Device ID 1002 from a drop-down menu based on user's preference on the device for which remote management status is to be inquired.
[0243] On selecting the Device ID 1002, the asset identifier 1004 corresponding to the device is displayed. The asset identifier 1004 is a unique identification key of a device that can be used globally. Asset identifier 1004 may include the device board ID also, which is a unique identifier for each device.
[0244] Status 1006 reflects the connection and operational condition of the device corresponding to the selected Device ID 1002. The status 1006 may be represented as "connected", or "operational", or "disconnected" or another position depending on the activity performed by the device.
[0245] Last active 1008 reflects most recent time and date when the device corresponding to the selected Device ID 1002 was connected to the BloT server platform.
Date Recue/Date Received 2021-09-17
Date Recue/Date Received 2021-09-17
[0246] Thereafter, the remote management and operational control of the device corresponding to the selected Device ID 1002 is displayed.
[0247] Bluetooth 1010 depicts the real-time status of the Bluetooth connectivity of the device corresponding to the selected Device ID 1002. As displayed in the screen capture 1000, the real-time status is reflected as "Up" which signifies that the Bluetooth port of the device is turned-on to send and receive data, or to connect to another device.
Further, the user may select from a drop-down menu in "Action" to turn the Bluetooth port of the device on or off.
Further, the user may select from a drop-down menu in "Action" to turn the Bluetooth port of the device on or off.
[0248] USB 1012 depicts the real-time status of the universal serial bus connectivity of the device corresponding to the selected Device ID 1002. As displayed in the screen capture 1000, the real-time status is reflected as "Up" which signifies that the universal serial bus port of the device is open to send and receive data, or to connect to another device. Further, the user may make a selection from a drop-down menu in "Action" to enable or disable the universal serial bus connectivity to avoid physical data breach or intrusion on the device.
[0249] Port 1014 depicts the real-time status of a port on the device corresponding to the selected Device ID 1002. The port may refer to a communication interface between two computing devices. The port may include a display port, HDMI port, eSATA, P5/2, or a serial port. The user can select from a port from the plurality of ports on the device from a drop-down menu. As displayed in the screen capture 1000, the real-time status is reflected as "Up" which signifies that the port of the device is open to send and receive data, or to connect to another device. Further, the user may select from a drop-down menu in "Action" to enable or disable the port. Port 1014 allows the user to remotely manage the firewall setting on the device
[0250] Service 1016 depicts the security service currently being performed by the device corresponding to the selected Device ID 1002. As displayed in the screen capture 1000, the real-time status is reflected as "Up" which signifies that the security service is currently active. Further, the user may select from a drop-down menu in "Action" to enable or disable the port.
Date Recue/Date Received 2021-09-17
Date Recue/Date Received 2021-09-17
[0251] Process 1018 depicts the operational instructions currently being executed by the device corresponding to the selected Device ID 1002. Process 1018 allows the user to remotely terminate the undesired processes running on the device.
[0252] Graph 1020 shows the BloT device's performance parameters, which includes the processor speed, battery life, and other key parameters to allow the user to have complete understanding of the device and BloT performance.
[0253] Referring to Figure 11, illustrated therein is a screen capture 1100 of an example of data management of registered devices, according to an embodiment.
For the purposes of this section, BloT device refers to a BloT device 106 registered on system 100 and connected to BloT server platform 128 illustrated in Figure 1. The screen capture reflects services offered to an organization enrolled on the system 100. It is to be understood that an authorized user from the organization makes selections on the user interface to perform operations and receive services offered by the system 100.
For the purposes of this section, BloT device refers to a BloT device 106 registered on system 100 and connected to BloT server platform 128 illustrated in Figure 1. The screen capture reflects services offered to an organization enrolled on the system 100. It is to be understood that an authorized user from the organization makes selections on the user interface to perform operations and receive services offered by the system 100.
[0254] An authorized user on selecting "Data Management" on the user interface is presented the status of data management of a plurality of BloT devices. The user may select a Device ID 1102 from a drop-down menu based on the user's preference regarding the device for which data management status is to be inquired.
[0255] On selecting the Device ID 1102, the asset identifier 1104 corresponding to the device is displayed. The Asset Identifier 1104 is a unique identification key of a device that can be used globally.
[0256] Status 1106 reflects the connection and operational condition of the device corresponding to the selected Device ID 1102. The status 1106 may be represented as "active", "connected", or "operational", or "disconnected" or another position depending on the activity performed by the device.
[0257] Active since 1108 reflects most recent time and date when the device corresponding to the selected Device ID 1102 was connected to the BloT server platform.
[0258] Referring to Figure 12, illustrated therein is a screen capture 1200 of an example of a user interface providing security analysis and intrusion detection services on data transactions conducted by a device, according to an embodiment. For the Date Recue/Date Received 2021-09-17 purposes of this section, BloT device refers to a BloT device 106 registered on system 100, and connected to BloT server platform 128 depicted in Figure 1. The screen capture reflects services offered to an organization enrolled on the system 100. It is to be understood that an authorized user from the organization makes selections on the user interface to perform operations and receive services offered by the system 100.
[0259] At 1202, Compliance represents an organization's compliance to a plurality of standards on data protection and cybersecurity. The compliance standards include PCI
DSS (Payment Card Industry Data Security Standard), GDPR (European General Data Protection Regulation), NIST 800-53 (National Institute of Standards and Technology, United States of America), HIPAA (Health Insurance Portability and Accountability Act, 1996 of United States of America), GPG13 (Protective Monitoring for HMG ICT
Systems), and TSC. Further, the system described herein may be configured to determine the number of BloT devices conforming to each industry standard or pre-deployed intrusion detection rules.
DSS (Payment Card Industry Data Security Standard), GDPR (European General Data Protection Regulation), NIST 800-53 (National Institute of Standards and Technology, United States of America), HIPAA (Health Insurance Portability and Accountability Act, 1996 of United States of America), GPG13 (Protective Monitoring for HMG ICT
Systems), and TSC. Further, the system described herein may be configured to determine the number of BloT devices conforming to each industry standard or pre-deployed intrusion detection rules.
[0260] At 1204, system performance indicators are presented of the BloT
devices.
The system performance indicators include resources consumed such as battery, energy, RAM, CPU, wireless connection status, packages and processes active in real time.
devices.
The system performance indicators include resources consumed such as battery, energy, RAM, CPU, wireless connection status, packages and processes active in real time.
[0261] At 1206, the frequency of events for a specific timeframe is provided. Events may refer to activities or intrusions occurring on the BloT device or BloT
network, wherein the event is inconsistent with the intrusion detection rules. The intrusion detection rules may refer to the industry standards requirements such as PCI DSS, GDPR.
network, wherein the event is inconsistent with the intrusion detection rules. The intrusion detection rules may refer to the industry standards requirements such as PCI DSS, GDPR.
[0262] At 1208, a Software Composition Analysis (SCA) scan report is presented.
It is to be understood that a SCA scan is presented for demonstration and any other security and risk scan may be performed. The SCA scan may verify compliance to industry cyber security and defence benchmarks, for example, Centre for Internet Security (CIS) Benchmark for Debian/Linux 10. The SCA scan report 1508 includes the number of BloT devices meeting the compliance requirements and number of BloT
devices failing to meet the compliance requirements. Further, the SCA scan report 1508 may include number of benchmarks met.
Date Recue/Date Received 2021-09-17
It is to be understood that a SCA scan is presented for demonstration and any other security and risk scan may be performed. The SCA scan may verify compliance to industry cyber security and defence benchmarks, for example, Centre for Internet Security (CIS) Benchmark for Debian/Linux 10. The SCA scan report 1508 includes the number of BloT devices meeting the compliance requirements and number of BloT
devices failing to meet the compliance requirements. Further, the SCA scan report 1508 may include number of benchmarks met.
Date Recue/Date Received 2021-09-17
[0263] At 1210, geolocation of the BloT device is provided. The geolocation may be provided using a JavaScript API.
[0264] The user interface as illustrated herein may be further configured to display the security services performed by the system 100. For example, security services may include Security events, Integrity monitoring, SCA, and System Auditing services performed for the selected device. A unique identifier of the device selected for intrusion detection system and security analysis may be displayed. For example, "ip-172-31-5-154"
selected by the user may represent the unique identifier of a device connected to the BloT
server platform 128 for which security services are performed.
selected by the user may represent the unique identifier of a device connected to the BloT
server platform 128 for which security services are performed.
[0265] The user interface as illustrated herein may be further configured to indicate the device information for which security services are performed by the system 100. For example, a Device ID corresponding to the device selected for performing intrusion detection and security service, the status of connection to the BloT sever platform, the device version, the operating system running on the selected device, the date on which the device was registered on the BloT server platform, and the last date on which the device was connected is displayed.
[0266] The user interface as illustrated herein may be further configured to display the tactics and the frequency of tactics used by a hacker to gain unauthorized access to the system.
[0267] Referring to Figure 13, illustrated therein is a screen capture 1300 of an example of a user interface providing security analysis and intrusion detection services on data transactions conducted by a device, according to an embodiment. For the purposes of this section, BloT device refers to a BloT device 106 registered on system 100 and connected to BloT server platform 128 depicted in Figure 1. The screen capture reflects services offered to an organization enrolled on the system 100. It is to be understood that an authorized user from the organization makes selections on the user interface to perform operations and receive services offered by the system 100.
[0268] At 1302, the ID corresponds to the device ID registered on the BloT server platform and selected for security analysis. Further, 1302 provides the status of connection to the BloT sever platform, the IP address, the device version, the operating Date Recue/Date Received 2021-09-17 system running on the selected device, the date on which the device was registered on the BloT server platform, and the last date on which the device was connected is displayed.
[0269] MITRE 1304 reflects the tactics and the frequency of tactics used by a hacker to gain unauthorized access to the system.
[0270] FIM: Recent events 1306 may represent File Integrity Monitoring and recent actions performed by the device, time of action, nature of action (deletion, addition), and level of action performed based on organizational policy.
[0271] Events may refer to activities or intrusions occurring on the BloT
device or BloT network, wherein the event is inconsistent with the intrusion detection rules. The intrusion detection rules may refer to the industry standards requirements such as PCI
DSS, GDPR.
device or BloT network, wherein the event is inconsistent with the intrusion detection rules. The intrusion detection rules may refer to the industry standards requirements such as PCI
DSS, GDPR.
[0272] Time 1308 may refer to the time of the occurrence of the recent event on the device.
[0273] Path 1310 may refer to the file location of the occurrence of the recent event.
The path may refer to a location on the device or the cloud.
The path may refer to a location on the device or the cloud.
[0274] Action 1312 may refer to the recent event performed.
Alternatively, action 1312 may refer to the response taken to counter the threat on the network.
Alternatively, action 1312 may refer to the response taken to counter the threat on the network.
[0275] Rule Description 1314 may refer to the industry standard's requirement/statement about the rule.
[0276] Rule level 1316 may refer to the severity of the alert as per industry standards for example PCI DSS standard. Level 0 may refer to the lowest priority, whereas Level 7 may refer to a higher priority than Level 0.
[0277] Rule ID 1318 may refer to the identification information of the rule.
[0278] The system described herein may be further configured to display Top 5 Rule Groups' to reveal top 5 key security threats against an industry standard witnessed by the BloT network, 'Requirement rules for PCI DSS', which may refer to the rules Date Recue/Date Received 2021-09-17 dynamically generated to comply with the industry standard to counter key security threats against an industry standard witnessed by the BloT network.
[0279] The system described herein may be further configured to display stored intrusion detection rules, according to an embodiment. For example, a use of label, "PCI
DSS" refers to the operational and technical requirements set forth by Payment Card Industry Data Security Standard (PCI DSS) as required from entities holding cardholder data. The label "Requirements" may include codified rule sets of PCI DSS
requirements to be used in the intrusion detection system described herein while monitoring network traffic.
DSS" refers to the operational and technical requirements set forth by Payment Card Industry Data Security Standard (PCI DSS) as required from entities holding cardholder data. The label "Requirements" may include codified rule sets of PCI DSS
requirements to be used in the intrusion detection system described herein while monitoring network traffic.
[0280] "File" may refer to the identification information or location of the file which has witnessed an event. "Last modified" may refer to the date and time of the most recent change made to the file 1502. "User" may refer to the username. "User ID" may refer to the identification information of the user. "Group" may refer to the group or department to which the user belongs. "Group ID" may refer to the identification information of the group or department to which the user belongs. "Permissions" may refer to the system privileges of the user. "Size" may refer to the storage space consumed by the file.
[0281] Referring to Figure 14, illustrated therein is a screen capture 1400 of an example of a user interface providing security analysis and intrusion detection services on data transactions conducted by a device, according to an embodiment. For the purposes of this section, BloT device refers to a BloT device 106 registered on system 100, and connected to BloT server platform 128 depicted in Figure 1. The screen capture reflects services offered to an organization enrolled on the system 100. It is to be understood that an authorized user from the organization makes selections on the user interface to perform operations and receive services offered by the system 100.
[0282] At 1402, Status corresponds to the logging activity of the BloT
devices registered to an organization and enrolled on the plurality of blockchain channels. The pie chart presents the comparative share of BloT devices which are active, inactive, and never connected. "Active" devices may refer to BloT devices relaying data in real-time or performing operational instructions. The activity status of the BloT device may be determined by the status of connection of the BloT device with the BloT server platform.
Date Recue/Date Received 2021-09-17 Additionally, the activity status of the BloT device may be determined by the status of connection of the BloT device with each or any one of the plurality of blockchain channels.
"Inactive" BloT devices may refer to the BloT device enrolled on the plurality of blockchain channels but not executing any operation in real-time. The "Never Connected"
BloT
device may refer to the BloT devices enrolled by the organization, but the BloT devices have not performed any operation on the BloT server platform or on each or any one of the plurality of blockchain channels.
devices registered to an organization and enrolled on the plurality of blockchain channels. The pie chart presents the comparative share of BloT devices which are active, inactive, and never connected. "Active" devices may refer to BloT devices relaying data in real-time or performing operational instructions. The activity status of the BloT device may be determined by the status of connection of the BloT device with the BloT server platform.
Date Recue/Date Received 2021-09-17 Additionally, the activity status of the BloT device may be determined by the status of connection of the BloT device with each or any one of the plurality of blockchain channels.
"Inactive" BloT devices may refer to the BloT device enrolled on the plurality of blockchain channels but not executing any operation in real-time. The "Never Connected"
BloT
device may refer to the BloT devices enrolled by the organization, but the BloT devices have not performed any operation on the BloT server platform or on each or any one of the plurality of blockchain channels.
[0283] At 1404, quantified valued are presented BloT devices registered to an organization and enrolled on the plurality of blockchain channels. Namely, number of BloT
devices active, disconnected/inactive, and never connected is presented. "Last Registered Device" represents the device name or identification information of the most recent BloT device registered to an organization and enrolled on the plurality of blockchain channels.
devices active, disconnected/inactive, and never connected is presented. "Last Registered Device" represents the device name or identification information of the most recent BloT device registered to an organization and enrolled on the plurality of blockchain channels.
[0284] At 1406, geolocation of the BloT device is provided. The geolocation may be provided using a JavaScript API.
[0285] At 1408, peer information is provided. According to an embodiment, the plurality of blockchain channels may be implemented by the plurality of BloT
devices configured as peers. The peer information includes:
devices configured as peers. The peer information includes:
[0286] ID: Device ID registered on the BloT server platform;
[0287] Asset ID: Information provided by the user to identify the device with respect to the location of the deployment of the device;
[0288] "OS": Operating system running on the BloT device;
[0289] "Version": Version issued by the manufacturer of the BloT device;
[0290] Registration Date: Date of registration to an organization and enrolment on the plurality of blockchain channels;
[0291] Last Kept Alive: Most Recent Activity Status; and
[0292] Status: The real-time connection and data transmission state of the registered BloT device.
Date Recue/Date Received 2021-09-17
Date Recue/Date Received 2021-09-17
[0293] While the above description provides examples of one or more apparatus, methods, or systems, it will be appreciated that other apparatus, methods, or systems may be within the scope of the claims as interpreted by one of skill in the art.
[0294] Rule-based intrusion detection system reduces the consumption of computer resources including storage, energy, and processing cycles.
Additionally, the network traffic is monitored in real time and any violation of intrusion detection rules is swiftly detected to prevent unauthorized access. The intrusion detection rules stored on the server detects and prevents suspicious activity at network interface in events where the loT device or the front-end device is compromised. The immutable blockchain ledger automatically stores a historical record of data files and transactions performed. This obviates the need for maintaining or storing a reference database. Further, attempts to manipulate audit logs and reversing timestamps are prevented for data stored on the blockchain channel.
Date Recue/Date Received 2021-09-17
Additionally, the network traffic is monitored in real time and any violation of intrusion detection rules is swiftly detected to prevent unauthorized access. The intrusion detection rules stored on the server detects and prevents suspicious activity at network interface in events where the loT device or the front-end device is compromised. The immutable blockchain ledger automatically stores a historical record of data files and transactions performed. This obviates the need for maintaining or storing a reference database. Further, attempts to manipulate audit logs and reversing timestamps are prevented for data stored on the blockchain channel.
Date Recue/Date Received 2021-09-17
Claims (20)
1. A computer system for building a trusted network of devices, the system com prising:
a plurality of blockchain channels configured as distinct distributed blockchain ledgers wherein each of the plurality of blockchain channels with designated servers thereof perform specific operations for security and access control of a plurality of loT (Internet of Things) devices, the plurality of blockchain channels including:
an authentication blockchain channel is configured to:
register the plurality of loT devices by storing a unique identifier corresponding to the plurality of loT devices, wherein the unique identifier is based on one or more of a TLS certificate in Hyperledger Fabric, a digital certificate, a digital signature, a key pair, and a device UUID (universally unique identifier);
authenticate the plurality of loT devices attempting to connect to the plurality of blockchain channels by verifying the unique identifier of the plurality of loT devices;
permit the plurality of loT devices access the plurality of blockchain channels after successful authentication;
wherein the authentication blockchain channel includes a plurality of loT (Internet of Things) endorsing peers to verify an authentication transaction associated to either of the plurality of loT devices;
wherein the authentication blockchain channel is connected to a digital certificate authority to receive digital certificates for registration and authentication of the plurality of loT devices;
a data blockchain channel is configured to:
generate and store a cryptographic hash of every data set transacted on the plurality of blockchain channels;
a remote blockchain channel is configured to:
store an organizational policy corresponding to a plurality of registered loT devices, wherein the plurality of registered loT devices include the plurality of loT devices registered on the authentication blockchain channel;
receive an operation request from the plurality of loT devices;
verify whether the operation request is received from the plurality of registered loT devices and the operation request is permitted by the organizational policy;
permit the operation request on successful verification;
a security blockchain channel is configured to:
store any one or more of a plurality of security log records, transaction logs, data access requests, and time-stamped hash files, of the plurality of loT devices to provide a secure record for data audits, wherein the transaction logs include any one or more of loT wallet information, session token, device location information, number of access attempts, and port access information;
an intrusion detection blockchain channel is configured to:
monitor a network data communicated on the plurality of blockchain channels;
detect intrusion based on violation of intrusion detection rules, wherein when an loT device violates the intrusion detection rules, an anomaly alert is generated and a security response is triggered, and wherein the intrusion detection rules include any one or more of a baseline of organizational device operations, data access pattern, remote management instructions, organization's data storage and access policy, wherein the violation of the intrusion detection rules is detected by either one or more of anomaly-based detection or a signature-based detection;
store system penetration data, transaction logs of a suspicious intruding device, and tampered data files on violation of the intrusion detection rules; and communicate intrusion details including port information or location of intrusion, rule breach information, transaction log, path name, data/attribute modification, update operations, suspicious access patterns, structural changes to content, previous content values, and operations performed.
a plurality of blockchain channels configured as distinct distributed blockchain ledgers wherein each of the plurality of blockchain channels with designated servers thereof perform specific operations for security and access control of a plurality of loT (Internet of Things) devices, the plurality of blockchain channels including:
an authentication blockchain channel is configured to:
register the plurality of loT devices by storing a unique identifier corresponding to the plurality of loT devices, wherein the unique identifier is based on one or more of a TLS certificate in Hyperledger Fabric, a digital certificate, a digital signature, a key pair, and a device UUID (universally unique identifier);
authenticate the plurality of loT devices attempting to connect to the plurality of blockchain channels by verifying the unique identifier of the plurality of loT devices;
permit the plurality of loT devices access the plurality of blockchain channels after successful authentication;
wherein the authentication blockchain channel includes a plurality of loT (Internet of Things) endorsing peers to verify an authentication transaction associated to either of the plurality of loT devices;
wherein the authentication blockchain channel is connected to a digital certificate authority to receive digital certificates for registration and authentication of the plurality of loT devices;
a data blockchain channel is configured to:
generate and store a cryptographic hash of every data set transacted on the plurality of blockchain channels;
a remote blockchain channel is configured to:
store an organizational policy corresponding to a plurality of registered loT devices, wherein the plurality of registered loT devices include the plurality of loT devices registered on the authentication blockchain channel;
receive an operation request from the plurality of loT devices;
verify whether the operation request is received from the plurality of registered loT devices and the operation request is permitted by the organizational policy;
permit the operation request on successful verification;
a security blockchain channel is configured to:
store any one or more of a plurality of security log records, transaction logs, data access requests, and time-stamped hash files, of the plurality of loT devices to provide a secure record for data audits, wherein the transaction logs include any one or more of loT wallet information, session token, device location information, number of access attempts, and port access information;
an intrusion detection blockchain channel is configured to:
monitor a network data communicated on the plurality of blockchain channels;
detect intrusion based on violation of intrusion detection rules, wherein when an loT device violates the intrusion detection rules, an anomaly alert is generated and a security response is triggered, and wherein the intrusion detection rules include any one or more of a baseline of organizational device operations, data access pattern, remote management instructions, organization's data storage and access policy, wherein the violation of the intrusion detection rules is detected by either one or more of anomaly-based detection or a signature-based detection;
store system penetration data, transaction logs of a suspicious intruding device, and tampered data files on violation of the intrusion detection rules; and communicate intrusion details including port information or location of intrusion, rule breach information, transaction log, path name, data/attribute modification, update operations, suspicious access patterns, structural changes to content, previous content values, and operations performed.
2. The system of claim 1 further comprising:
a blockchain server platform including:
an authentication server connected to the authentication blockchain channel and the plurality of loT devices, the authentication server configured to decrypt a registration request to extract the unique identifier of the plurality of loT devices and a data interaction request received from the plurality of loT devices, wherein the authentication server verifies the unique identifier with a record of registered devices stored on the authentication blockchain channel;
a data server connected to the data blockchain channel and the plurality of loT devices, the data server configured to decrypt an incoming data from the plurality of loT devices and communicating the incoming to the plurality of blockchain channels;
a remote server configured to perform remote management operation by directly connecting a frontend device the plurality of loT
devices and the remote blockchain channel for transmission of the operation request; and a security server connected to the security blockchain channel, the intrusion detection blockchain channel, and the plurality of loT
devices, the security server configured to process the operation request for providing the device logs and verify regulatory compliance of the plurality of loT devices based on the intrusion details; and wherein a registration status and authentication data of the either of the plurality of loT devices is communicated to the plurality of blockchain channels by the authentication blockchain channel.
a blockchain server platform including:
an authentication server connected to the authentication blockchain channel and the plurality of loT devices, the authentication server configured to decrypt a registration request to extract the unique identifier of the plurality of loT devices and a data interaction request received from the plurality of loT devices, wherein the authentication server verifies the unique identifier with a record of registered devices stored on the authentication blockchain channel;
a data server connected to the data blockchain channel and the plurality of loT devices, the data server configured to decrypt an incoming data from the plurality of loT devices and communicating the incoming to the plurality of blockchain channels;
a remote server configured to perform remote management operation by directly connecting a frontend device the plurality of loT
devices and the remote blockchain channel for transmission of the operation request; and a security server connected to the security blockchain channel, the intrusion detection blockchain channel, and the plurality of loT
devices, the security server configured to process the operation request for providing the device logs and verify regulatory compliance of the plurality of loT devices based on the intrusion details; and wherein a registration status and authentication data of the either of the plurality of loT devices is communicated to the plurality of blockchain channels by the authentication blockchain channel.
3. The system of claim 1 further comprising a plurality of blockchain orderers configured to synchronize a plurality of nodes on the plurality of blockchain channels.
4. The system of claim 1 further comprising a plurality for certification authorities configured to:
generating a plurality of digital certrficates for the plurality of loT
devices; and validating the plurality of digital certificates for verifying the plurality of loT devices.
generating a plurality of digital certrficates for the plurality of loT
devices; and validating the plurality of digital certificates for verifying the plurality of loT devices.
5. The system of claim 1, wherein the plurality of blockchain channels are developed on Hyperledger Fabric.
6. The system of claim 1, wherein the plurality of blockchain channels further includes an encrypted data streaming blockchain channel configured to:
receive and decrypt a data stream from either one or more of a Programmable Logic Controllers (PLC) or the plurality of loT devices;
authenticate a device wallet identity, wherein the device wallet identity includes the unique identifier; and store a decrypted data stream from either one or more of the Programmable Logic Controllers (PLC) or the plurality of loT devices in a data lake server
receive and decrypt a data stream from either one or more of a Programmable Logic Controllers (PLC) or the plurality of loT devices;
authenticate a device wallet identity, wherein the device wallet identity includes the unique identifier; and store a decrypted data stream from either one or more of the Programmable Logic Controllers (PLC) or the plurality of loT devices in a data lake server
7. The system of claim 2, wherein the operation request is further configured as a smart contract.
8. The system of claim 2, wherein the operation request includes analyzing device logs, an intrusion detection report wherein the intrusion detection report includes an event of unsuccessful authentication of the plurality of loT devices, a list of the plurality of registered loT devices, a system audit, feeding data into the plurality of blockchain channels, activating a sensor connected to the plurality of loT
devices to feed data into the blockchain channels, performing conditional statement or triggering a smart contract.
devices to feed data into the blockchain channels, performing conditional statement or triggering a smart contract.
9. The system of claim 3, wherein the organizational policy includes requirements for permitted operation request, data sharing protocols, encryption protocols for data storage and access, power allocation to the plurality of nodes, and permitted device operations.
10. A computer-implemented method for building a trusted network of devices, the method comprising:
enrolling an organization on a blockchain server platform connected to a plurality of blockchain channels configured as distinct distributed blockchain ledgers wherein each of the plurality of blockchain channels with designated servers thereof perform specific operations for security and access control of a plurality of loT (lntemet of Things) devices, the plurality of blockchain channels including an authentication blockchain channel, a data blockchain channel, a remote blockchain channel, a security blockchain channel, an intrusion detection blockchain channel;
registering, on the authentication blockchain channel, the plurality of loT
(Internet of Things) devices by storing a unique identifier corresponding to the plurality of loT devices, wherein the unique identifier is based on one or more of a TLS certificate in Hyperledger Fabric, a digital certificate, a key pair, and a device UUID (universally unique identifier);
authenticating, on the authentication blockchain channel, the plurality of loT devices attempting to connect to the plurality of blockchain channels by verifying the unique identifier of the plurality of loT devices;
permitting, by the authentication blockchain channel, the plurality of loT
devices access the plurality of blockchain channels after successful authentication;
wherein the authentication blockchain channel includes a plurality of loT
(Internet of Things) endorsing peers to verify an authentication transaction associated to either of the plurality of loT devices;
wherein the authentication blockchain channel is connected to a digital certificate authority to receive digital certificates for registration and authentication of the plurality of loT devices;
generating and storing, by the data blockchain channel, a cryptographic hash of every data set transacted on the plurality of blockchain channels;
storing, by the remote blockchain channel, an organizational policy corresponding to a plurality of registered loT devices, wherein the plurality of registered loT devices include the plurality of loT devices registered on the authentication blockchain channel;
receiving, by the remote blockchain channel, an operation request from the plurality of loT devices;
verifying, by the remote blockchain channel, whether the operation request is received from the plurality of registered loT devices and the operation request is permitted by the organizational policy;
permitting, by the remote blockchain channel, the operation request on successful verification;
storing, by the security blockchain channel, any one or more of a plurality of security log records, transaction logs, data access requests, and time-stam ped hash files of the plurality of loT devices to provide a secure record for data audits, wherein the transaction logs include any one or more of loT wallet information, session token, device location information, number of access attempts, and port access information;
monitoring, by the intrusion detection blockchain channel, a network data communicated on the plurality of blockchain channels;
detecting intrusion, by the intrusion detection blockchain channel, based on violation of intrusion detection rules, wherein when an loT device violates the intrusion detection rules an anomaly alert is generated and a security response is triggered, and wherein the intrusion detection rules include a any one or more of baseline of organizational device operations data access pattern, remote management instructions, organization's data storage and access policy, wherein the violation of the intrusion detection rules is detected by either one or more of anomaly-based detection or a signature-based detection;
storing, by the intrusion detection blockchain channel, system penetration data, transaction logs of a suspicious intruding device, and tampered data files on violation of the intrusion detection rules;
communicating, by the intrusion detection blockchain channel, intrusion details including port information or location of intrusion, rule breach information, transaction log, path name, data/attribute modification, update operations, suspicious access patterns, structural changes to content, previous content values, and operations performed.
enrolling an organization on a blockchain server platform connected to a plurality of blockchain channels configured as distinct distributed blockchain ledgers wherein each of the plurality of blockchain channels with designated servers thereof perform specific operations for security and access control of a plurality of loT (lntemet of Things) devices, the plurality of blockchain channels including an authentication blockchain channel, a data blockchain channel, a remote blockchain channel, a security blockchain channel, an intrusion detection blockchain channel;
registering, on the authentication blockchain channel, the plurality of loT
(Internet of Things) devices by storing a unique identifier corresponding to the plurality of loT devices, wherein the unique identifier is based on one or more of a TLS certificate in Hyperledger Fabric, a digital certificate, a key pair, and a device UUID (universally unique identifier);
authenticating, on the authentication blockchain channel, the plurality of loT devices attempting to connect to the plurality of blockchain channels by verifying the unique identifier of the plurality of loT devices;
permitting, by the authentication blockchain channel, the plurality of loT
devices access the plurality of blockchain channels after successful authentication;
wherein the authentication blockchain channel includes a plurality of loT
(Internet of Things) endorsing peers to verify an authentication transaction associated to either of the plurality of loT devices;
wherein the authentication blockchain channel is connected to a digital certificate authority to receive digital certificates for registration and authentication of the plurality of loT devices;
generating and storing, by the data blockchain channel, a cryptographic hash of every data set transacted on the plurality of blockchain channels;
storing, by the remote blockchain channel, an organizational policy corresponding to a plurality of registered loT devices, wherein the plurality of registered loT devices include the plurality of loT devices registered on the authentication blockchain channel;
receiving, by the remote blockchain channel, an operation request from the plurality of loT devices;
verifying, by the remote blockchain channel, whether the operation request is received from the plurality of registered loT devices and the operation request is permitted by the organizational policy;
permitting, by the remote blockchain channel, the operation request on successful verification;
storing, by the security blockchain channel, any one or more of a plurality of security log records, transaction logs, data access requests, and time-stam ped hash files of the plurality of loT devices to provide a secure record for data audits, wherein the transaction logs include any one or more of loT wallet information, session token, device location information, number of access attempts, and port access information;
monitoring, by the intrusion detection blockchain channel, a network data communicated on the plurality of blockchain channels;
detecting intrusion, by the intrusion detection blockchain channel, based on violation of intrusion detection rules, wherein when an loT device violates the intrusion detection rules an anomaly alert is generated and a security response is triggered, and wherein the intrusion detection rules include a any one or more of baseline of organizational device operations data access pattern, remote management instructions, organization's data storage and access policy, wherein the violation of the intrusion detection rules is detected by either one or more of anomaly-based detection or a signature-based detection;
storing, by the intrusion detection blockchain channel, system penetration data, transaction logs of a suspicious intruding device, and tampered data files on violation of the intrusion detection rules;
communicating, by the intrusion detection blockchain channel, intrusion details including port information or location of intrusion, rule breach information, transaction log, path name, data/attribute modification, update operations, suspicious access patterns, structural changes to content, previous content values, and operations performed.
11. The method of claim 10, wherein the method further comprises:
registering the plurality of loT (Internet of Things) devices on the blockchain server platform by storing a wallet identity for each of the plurality of loT
(Internet of Things) devices on the plurality of blockchain channels, wherein the wallet identity includes the unique identifier;
authenticating the plurality of loT devices using the wallet identity by receiving an endorsement by a plurality of peer nodes on the plurality of blockchain channels;
collecting on the blockchain server platform a device data received from a plurality of sensors on the plurality of loT devices;
encrypting the device data and simultaneously storing it on the plurality of blockchain channels;
updating the plurality of peer nodes with the updated version of the device data;
and retrieving the device data upon receiving an operation request for a plurality of authenticated loT devices;
wherein the plurality of blockchain channels include:
an authentication server connected to the authentication blockchain channel and the plurality of loT devices, the authentication server configured to decrypt a registration request to extract the unique identifier of the plurality of loT devices and a data interaction request received from the plurality of loT devices, wherein the authentication server verifies the unique identifier with a record of registered devices stored on the authentication blockchain channel;
a data server connected to the data blockchain channel and the plurality of loT devices, the data server configured to decrypt an incoming data from the plurality of loT devices and communicating the incoming to the plurality of blockchain channels;
a remote server configured to perform remote management operation by directly connecting a frontend device the plurality of loT
devices and the remote blockchain channel for transmission of the operation request; and a security server connected to the security blockchain channel, the intrusion detection blockchain channel, and the plurality of loT
devices, the security server configured to process the operation request for providing the device logs and verify regulatory compliance of the plurality of loT devices based on the intwsion details;
wherein a registration status and authentication data of the either of the plurality of loT devices is communicated to the plurality of blockchain channels by the authentication blockchain channel.
registering the plurality of loT (Internet of Things) devices on the blockchain server platform by storing a wallet identity for each of the plurality of loT
(Internet of Things) devices on the plurality of blockchain channels, wherein the wallet identity includes the unique identifier;
authenticating the plurality of loT devices using the wallet identity by receiving an endorsement by a plurality of peer nodes on the plurality of blockchain channels;
collecting on the blockchain server platform a device data received from a plurality of sensors on the plurality of loT devices;
encrypting the device data and simultaneously storing it on the plurality of blockchain channels;
updating the plurality of peer nodes with the updated version of the device data;
and retrieving the device data upon receiving an operation request for a plurality of authenticated loT devices;
wherein the plurality of blockchain channels include:
an authentication server connected to the authentication blockchain channel and the plurality of loT devices, the authentication server configured to decrypt a registration request to extract the unique identifier of the plurality of loT devices and a data interaction request received from the plurality of loT devices, wherein the authentication server verifies the unique identifier with a record of registered devices stored on the authentication blockchain channel;
a data server connected to the data blockchain channel and the plurality of loT devices, the data server configured to decrypt an incoming data from the plurality of loT devices and communicating the incoming to the plurality of blockchain channels;
a remote server configured to perform remote management operation by directly connecting a frontend device the plurality of loT
devices and the remote blockchain channel for transmission of the operation request; and a security server connected to the security blockchain channel, the intrusion detection blockchain channel, and the plurality of loT
devices, the security server configured to process the operation request for providing the device logs and verify regulatory compliance of the plurality of loT devices based on the intwsion details;
wherein a registration status and authentication data of the either of the plurality of loT devices is communicated to the plurality of blockchain channels by the authentication blockchain channel.
12. The method of claim 10, further comprising synchronizing the plurality of peer nodes using a plurality of blockchain orderers.
13. The method of claim 10, wherein the method further comprises:
receiving and decrypting, by an encrypted data streaming blockchain channel, a data stream from either one or more of a Programmable Logic Controllers (PLC) or the plurality of loT devices;
authenticating the wallet identity by the encrypted data streaming blockchain;
and storing, by the encrypted data streaming blockchain channel, a decrypted data stream from either one or more of the Programmable Logic Controllers (PLC) or the plurality of loT devices in a data lake server.
receiving and decrypting, by an encrypted data streaming blockchain channel, a data stream from either one or more of a Programmable Logic Controllers (PLC) or the plurality of loT devices;
authenticating the wallet identity by the encrypted data streaming blockchain;
and storing, by the encrypted data streaming blockchain channel, a decrypted data stream from either one or more of the Programmable Logic Controllers (PLC) or the plurality of loT devices in a data lake server.
14. The method of claim 10, further comprising issuing a plurality of random session token after successful authentication of the plurality of loT devices, wherein the plurality of random session token includes a set of logical instructions to be performed based on the operation request received from the plurality of loT
devices.
devices.
15. The method of claim 10, wherein the plurality of sensors include a temperature sensor, a pressure sensor, a proximity sensor, an accelerometer and gyroscope sensor, an IR sensor, an optical sensor, an illumination sensor, a humidity sensor, a motion sensor, a sound sensor, a magnetic sensor, and an air quality sensor.
16. The method of claim 11, wherein the operation request includes analyzing device logs, an intrusion detection report wherein the intrusion detection report includes an event of unsuccessful authentication of the plurality of loT devices, a list of the plurality of registered loT devices, a system audit, feeding data into the plurality of blockchain channels, activating a sensor connected to the plurality of loT
devices to feed data into the blockchain channels, performing conditional statement or triggering a smart contract.
devices to feed data into the blockchain channels, performing conditional statement or triggering a smart contract.
17. A computer-implemented method for building a trusted network of devices, the method comprising:
performing an operation at a frontend device and sending operation request to a blockchain server platform and a plurality of blockchain channels configured as distinct distributed blockchain ledgers wherein each of the plurality of blockchain channels with designated servers thereof perform specific operations for security and access control of a plurality of loT (Internet of Things) devices;
validating the access permissions of the frontend device and the operation request according to an organizational policy and a wallet identity of the frontend device, wherein the wallet identity includes a unique identifier, and wherein the unique identifier is based on one or more of a TLS certificate in Hyperledger Fabric, a digital certificate, a key pair, and a device UUID
(universally unique identifier);
sending operation request to the plurality of loT device in encrypted format on successful validation;
decryption of the operation request by the plurality of loT device and execution of the operation request by the plurality of loT device;
sending an operation result to the blockchain server plafform and the plurality of blockchain channel;
storing a record of the operation result to the plurality of blockchain channels;
and detecting intrusion based on violation of intrusion detection rules, wherein when an loT device violates the intrusion detection rules an anomaly alert is generated and a security response is triggered, and wherein the intrusion detection rules include any one or more of a baseline of organizational device operations and data access pattern.
performing an operation at a frontend device and sending operation request to a blockchain server platform and a plurality of blockchain channels configured as distinct distributed blockchain ledgers wherein each of the plurality of blockchain channels with designated servers thereof perform specific operations for security and access control of a plurality of loT (Internet of Things) devices;
validating the access permissions of the frontend device and the operation request according to an organizational policy and a wallet identity of the frontend device, wherein the wallet identity includes a unique identifier, and wherein the unique identifier is based on one or more of a TLS certificate in Hyperledger Fabric, a digital certificate, a key pair, and a device UUID
(universally unique identifier);
sending operation request to the plurality of loT device in encrypted format on successful validation;
decryption of the operation request by the plurality of loT device and execution of the operation request by the plurality of loT device;
sending an operation result to the blockchain server plafform and the plurality of blockchain channel;
storing a record of the operation result to the plurality of blockchain channels;
and detecting intrusion based on violation of intrusion detection rules, wherein when an loT device violates the intrusion detection rules an anomaly alert is generated and a security response is triggered, and wherein the intrusion detection rules include any one or more of a baseline of organizational device operations and data access pattern.
18. The method of claim 17, wherein the plurality of blockchain channels include:
an authentication blockchain channel is configured to:
register the plurality of loT devices by storing the wallet identity corresponding to the plurality of loT devices;
authenticate the plurality of loT devices attempting to connect to the plurality of blockchain channels by verifying the wallet identity of the plurality of loT
devices;
permit the plurality of loT devices access the plurality of blockchain channels after successful authentication;
wherein the authentication blockchain channel includes a plurality of loT
(lntemet of Things) endorsing peers to verify an authentication transaction associated to either of the plurality of loT devices;
wherein the authentication blockchain channel is connected a digital certificate authority to receive digital certificates for registration and authentication of the plurality of loT devices;
a data blockchain channel is configured to:
generate and store a cryptographic hash of every data set transacted on the plurality of blockchain channels;
a remote blockchain channel is configured to:
store an organizational policy corresponding to a plurality of registered loT
devices, wherein the plurality of registered loT devices include the plurality of loT devices registered on the authentication blockchain channel;
receive an operation request from the plurality of loT devices;
verify whether the operation request is received from the plurality of registered loT devices and the operation request is permitted by the organizational policy;
permitting the operation request on successful verification;
a security blockchain channel is configured to:
store any one or more of a plurality of security log records, transaction logs, data access requests, and time-stamped hash files, of the plurality of loT
devices to provide a secure record for data audits, wherein the transaction logs include any one or more of loT wallet information, session token, device location information, number of access attempts, and port access information;
an intrusion detection blockchain channel is configured to:
monitor a network data communicated on the plurality of blockchain channels;
detect intrusion based on violation of intrusion detection rules, wherein when an loT device violates the intrusion detection rules, an anomaly alert is generated and a security response is triggered, and wherein the intrusion detection rules include the any one or more of the baseline of organizational device operations, data access pattem, remote management instructions, organization's data storage and access policy, wherein the violation of the intrusion detection rules is detected by either one or more of anomaly-based detection or a signature-based detection;
store system penetration data, transaction logs of a suspicious intruding device, and tampered data files on violation of the intrusion detection rules;
communicate intrusion details including port information or location of intrusion, rule breach information, transaction log, path name, data/attribute modification, update operations, suspicious access patterns, structural changes to content, previous content values, and operations performed;
an authentication server connected to the authentication blockchain channel and the plurality of loT devices, the authentication server configured to decrypt a registration request to extract the unique identifier of the plurality of loT
devices and a data interaction request received from the plurality of loT devices, wherein the authentication server verifies the unique identifier with a record of registered devices stored on the authentication blockchain channel;
a data server connected to the data blockchain channel and the plurality of loT
devices, the data server configured to decrypt an incoming data from the plurality of loT devices and communicating the incoming data to the plurality of blockchain channels;
a remote server configured to perform remote management operation by directly connecting a frontend device to the plurality of loT devices and the remote blockchain channel for transmission of the operation request;
a security server connected to the security blockchain channel, the intrusion detection blockchain channel, and the plurality of loT devices, the security server configured to: process the operation request for providing the device logs and verify regulatory compliance of the plurality of loT devices based on the intrusion details; and wherein a registration status and authentication data of the either of the plurality of loT devices is communicated to the plurality of blockchain channels by the authentication blockchain channel.
an authentication blockchain channel is configured to:
register the plurality of loT devices by storing the wallet identity corresponding to the plurality of loT devices;
authenticate the plurality of loT devices attempting to connect to the plurality of blockchain channels by verifying the wallet identity of the plurality of loT
devices;
permit the plurality of loT devices access the plurality of blockchain channels after successful authentication;
wherein the authentication blockchain channel includes a plurality of loT
(lntemet of Things) endorsing peers to verify an authentication transaction associated to either of the plurality of loT devices;
wherein the authentication blockchain channel is connected a digital certificate authority to receive digital certificates for registration and authentication of the plurality of loT devices;
a data blockchain channel is configured to:
generate and store a cryptographic hash of every data set transacted on the plurality of blockchain channels;
a remote blockchain channel is configured to:
store an organizational policy corresponding to a plurality of registered loT
devices, wherein the plurality of registered loT devices include the plurality of loT devices registered on the authentication blockchain channel;
receive an operation request from the plurality of loT devices;
verify whether the operation request is received from the plurality of registered loT devices and the operation request is permitted by the organizational policy;
permitting the operation request on successful verification;
a security blockchain channel is configured to:
store any one or more of a plurality of security log records, transaction logs, data access requests, and time-stamped hash files, of the plurality of loT
devices to provide a secure record for data audits, wherein the transaction logs include any one or more of loT wallet information, session token, device location information, number of access attempts, and port access information;
an intrusion detection blockchain channel is configured to:
monitor a network data communicated on the plurality of blockchain channels;
detect intrusion based on violation of intrusion detection rules, wherein when an loT device violates the intrusion detection rules, an anomaly alert is generated and a security response is triggered, and wherein the intrusion detection rules include the any one or more of the baseline of organizational device operations, data access pattem, remote management instructions, organization's data storage and access policy, wherein the violation of the intrusion detection rules is detected by either one or more of anomaly-based detection or a signature-based detection;
store system penetration data, transaction logs of a suspicious intruding device, and tampered data files on violation of the intrusion detection rules;
communicate intrusion details including port information or location of intrusion, rule breach information, transaction log, path name, data/attribute modification, update operations, suspicious access patterns, structural changes to content, previous content values, and operations performed;
an authentication server connected to the authentication blockchain channel and the plurality of loT devices, the authentication server configured to decrypt a registration request to extract the unique identifier of the plurality of loT
devices and a data interaction request received from the plurality of loT devices, wherein the authentication server verifies the unique identifier with a record of registered devices stored on the authentication blockchain channel;
a data server connected to the data blockchain channel and the plurality of loT
devices, the data server configured to decrypt an incoming data from the plurality of loT devices and communicating the incoming data to the plurality of blockchain channels;
a remote server configured to perform remote management operation by directly connecting a frontend device to the plurality of loT devices and the remote blockchain channel for transmission of the operation request;
a security server connected to the security blockchain channel, the intrusion detection blockchain channel, and the plurality of loT devices, the security server configured to: process the operation request for providing the device logs and verify regulatory compliance of the plurality of loT devices based on the intrusion details; and wherein a registration status and authentication data of the either of the plurality of loT devices is communicated to the plurality of blockchain channels by the authentication blockchain channel.
19. The method of claim 17, wherein the method further comprises:
receiving and decrypting, by an encrypted data streaming blockchain channel, a data stream from either one or more of a Programmable Logic Controllers (PLC) or the plurality of loT devices;
authenticating the wallet identity by the encrypted data streaming blockchain channel; and storing, by the encrypted data streaming blockchain channel, a decrypted data stream from either one or more of the Programmable Logic Controllers (PLC) or the plurality of loT devices in a data lake server.
receiving and decrypting, by an encrypted data streaming blockchain channel, a data stream from either one or more of a Programmable Logic Controllers (PLC) or the plurality of loT devices;
authenticating the wallet identity by the encrypted data streaming blockchain channel; and storing, by the encrypted data streaming blockchain channel, a decrypted data stream from either one or more of the Programmable Logic Controllers (PLC) or the plurality of loT devices in a data lake server.
20. The method of claim 17, further comprising:
issuing a plurality of encryption keys from the blockchain server platform;
transmitting the plurality of encryption keys the plurality of loT devices;
and renewing the encryption keys on execution of the operation request by the plurality of loT device.
issuing a plurality of encryption keys from the blockchain server platform;
transmitting the plurality of encryption keys the plurality of loT devices;
and renewing the encryption keys on execution of the operation request by the plurality of loT device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA3131208A CA3131208C (en) | 2021-09-17 | 2021-09-17 | System and method for building a trusted network of devices |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA3131208A CA3131208C (en) | 2021-09-17 | 2021-09-17 | System and method for building a trusted network of devices |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA3131208A1 CA3131208A1 (en) | 2023-01-16 |
| CA3131208C true CA3131208C (en) | 2024-01-02 |
Family
ID=84829493
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA3131208A Active CA3131208C (en) | 2021-09-17 | 2021-09-17 | System and method for building a trusted network of devices |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA3131208C (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117110636B (en) * | 2023-10-19 | 2024-01-23 | 本溪钢铁(集团)信息自动化有限责任公司 | Data communication processing method, device and system for electronic weighing detection of coal samples |
-
2021
- 2021-09-17 CA CA3131208A patent/CA3131208C/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CA3131208A1 (en) | 2023-01-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11722521B2 (en) | Application firewall | |
| Miloslavskaya et al. | Internet of Things: information security challenges and solutions | |
| US10924517B2 (en) | Processing network traffic based on assessed security weaknesses | |
| US10341321B2 (en) | System and method for policy based adaptive application capability management and device attestation | |
| US11494754B2 (en) | Methods for locating an antenna within an electronic device | |
| CN110492990B (en) | Private key management method, device and system under block chain scene | |
| Alasmari et al. | Security & privacy challenges in IoT-based health cloud | |
| Nguyen et al. | Cloud-based secure logger for medical devices | |
| US20230091179A1 (en) | System and method for building a trusted network of devices | |
| CA3131208C (en) | System and method for building a trusted network of devices | |
| KR102531376B1 (en) | System for monitoring information security and network security based on network connection and method thereof | |
| GB2572471A (en) | Detecting lateral movement by malicious applications | |
| Dhondge | Lifecycle IoT Security for Engineers | |
| US20230308433A1 (en) | Early termination of secure handshakes | |
| Sen et al. | Unveiling the Shadows: Exploring the Security Challenges of the Internet of Things (IoT) | |
| US20240146536A1 (en) | Network access using hardware-based security | |
| Alkhairi et al. | Securing Sensitive Data in Fintech: A Case Study of eKopz with SDS Security Model Implementation | |
| Udayakumar | Get Started with Azure Security | |
| WO2024073843A1 (en) | Systems and methods for establishing a secure digital network environment | |
| Leader | Holistic Security Context Analysis |